Thursday, November 23, 2006

IE7 Affected By Password Flaw -- Somewhat

The reported Firefox 2.0 Password Manager flaw is now also being reported as affecting IE7. It is really Firefox that is primarily affected by this flaw as it will automatically pre-fill forms with saved data.

Referred to by Chapin Information Services as the Reverse Cross-Site Request (RCSR) vulnerability, they explain:

"RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed.

The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker's computer without the user's knowledge.

Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses."

However, even though The Register is putting IE first in their headline, "IE and Firefox blighted by fake login flaw", Chapin goes on to explain that IE7 is nowhere near as vulnerable as Firefox by this vulnerability. The differences is that it will only affect IE users if the RCSR form is on the same page as a legitimate login form. With Firefox, the Password Manager will automatically pre-fill all forms with saved data.

No comments: