| | |

Beware: IE and Firefox can help steal your password!

Just when we were settling into the so called more secure versions of the two most popular browsers, Robert Chapin has stated that both Internet Explorer 7 and Firefox 2 are vulnerable to what he dubbed as a reverse cross-site request, or RCSR.

An exploit for this flaw has already been seen on social-networking site MySpace.com when Netcraft discovered a fraudulent login page was hosted on MySpace servers.

Chapin states that an RCSR attack is much more likely to succeed than an XSS attack because neither Internet Explorer nor Firefox is designed to check the destination of form data before the user submits them. The browser doesn’t sound an alarm because the exploit is conducted at the trusted Web site.

And Firefox is more vulnerable to this type of attack because it can autofill in forms even on RCSR pages. IE is better off here because it doesn’t do so.

So next time be extra careful while logging in.

Mozilla is working on a fix for Firefox 2. There are no reports if lower version of Firefox are vulnerable as well. There is no report of whether Opera can also be attacked.


  1. I will do that. As of now, just be careful about which sites you submit your usernames and passwords to.

    If it is really secure data make sure you check where the form is being submitted to.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.