Phishing potentiality affects Safari, Firefox password storage

Heise Security reports on a phishing vulnerability caused by Firefox's password manager. In a nutshell, because Firefox has the ability to store field entries so it can automatically insert usernames and passwords for previously visited Web sites, maliciously crafted sites can coax the information out and trick the user into submitting (or automatically submit) the private data.

The phishing mechanism, as demonstrated, also affects Safari and the Mac OS X Keychain.

Heise writes:

"The trick is currently being used in at least one page on MySpace to send phished login data to a Lycos server. A test by heise Security's editors confirms the problem in Firefox: the browser enters the data into visited HTML documents with forms without checking their original location or the destination to which data is sent. Internet Explorer 7 does not demonstrate the same behaviour: when recording locations, it notes the subdirectory to which the form belongs. This makes phishing somewhat more complicated, since attackers must then plant a form into a trusted site; mind you, the flaws in many web sites mean that even this is no longer a major hurdle. The current version of Opera does not enter any data automatically. Users must instead select the appropriate login information with the magic wand."

There is a demonstration of the flaw here. We were able to reproduce this bug in-house using both Firefox 2.0 and Safari 2.0.4 under Mac OS X 10.4.8.

For Firefox, this situation can be prevented by simply going to the "Security" pane of the application's preferences and deselecting the "Remember passwords for sites."

For Safari, it can be prevented by going to the "AutoFill" pane in the application's preferences and deselecting "User names and passwords."

Feedback? Late-breakers@macfixit.com.

Resources