Firefox gives passwords awayBuggedBy Nick Farrell: Wednesday 22 November 2006, 08:27THE MOZZARELLA Foundation has issued a security warning on its Firebadger open sauce browser.Apparently the browser's secure password manager has a nasty habit of telling other people your user name and password.The problem comes about because Firebadger supplies the username and password stored on one page on a domain to another page on a domain. For example the Username and password input tags on a Myspace user's site will be shared along with the visitor's Myspace.com credentials.According to Robert Chapin, of Chapin Information Services, who reports the problem on Bugzilla, the flaw means that passwords can be stolen without punters being aware of it.In the short term, Mozzarella is suggesting avoiding using Password Manager and the Master Password Timeout Firefox extension.However, an exploit found in the wild mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in.More here. µ
Internet Explorer 7 suffers from Firefox bug tooJust less likely to catch itBy Nick Farrell: Friday 24 November 2006, 07:38IT APPEARS that the latest version of Internet Exploder has the same bug that is, er, bugging the Mozzarella Foundation's Firefox.Earlier this I said Firefox was victim to a bug that "steals" the login id and passwords of users.According to Techtree, the geezer who found the Reverse Cross Site Request vulnerability in Firefox, Robert Chapin, has found the same bug in Explorer.However, the attacks are likely to worry Firefox users more because its Password Manager automatically enters any saved passwords and user-ids into forms, whereas IE can't fill in the saved information automatically.According to Chapin, Firefox and IE users need to be aware that their information can be stolen in this way when visiting bogs and forum Web sites even at trusted addresses.
