How does it work? Here’s a quick example of what could happen:
- User visits a site such as their own blog hosted on a popular network (something like Blogger).
- They login, and have Firefox remember their username/password.
- They visit someone else’s blog on the same domain, and a username/password form appears on the site. As expected Firefox autofills the information for the user (both the username and password) so that they can just hit enter to login.
This flaw can only be used to expose the username and password that is entered into a form, and Firefox automatically does this for people who have stored a password. That means your information could be surrendered without you even realizing it.
If you want to try this out yourself, Heise has setup a demo site where you makeup a username/password, and then have Firefox store it. Then when you go to the “evil” page, Firefox will automatically fill out the form and a popup will reveal the username and password you stored.
An alternative that xpgeek pointed out in the forum is to install the Secure Login extension to prevent Firefox from automatically filling in password forms.
Note: This vulnerability also affects the Safari browser.
— What’s the Most Secure Browser? —
I decided to lookup on Secunia, who tracks vulnerabilities for more than 14,000 applications, to see which browser is currently the most secure. Here’s what I came up with:
- Opera 9.x has had 8 advisories, all of which have been patched. [source]
- Firefox 2.0.x has had 13 advisories, and there are 6 that have not been patched. [source]
- Internet Explorer 7.x has had 14 advisories, and there are 8 that have not been patched. [source]
You can take that information for what it’s worth, but it goes to show that most browsers constantly have security-related flaws.