Wednesday, November 22, 2006

Whoa! Even Firefox Isn't Safe!

A new vulnerability, complete with exploit in the wild, has been logged against Firefox (the same exploit works against IE7).

This is a really bad one: Whenever you visit a site containing user-supplied HTML (such as, well, this one, for example), a page can be crafted to slurp your credentials for that site -- invisibly -- and send them off to wherever the phisher desires.

For example, if you have an account on Blogger, I may have already stolen your credentials if you click anywhere on this page! (I didn't. Honest.)

Basically the exploit fools Firefox's (or IE's) password manager into saying "Hey, I know the site this page is from, and we have login for it, so what harm?"

Plenty, as it turns out.

Mad props to Slashdot for publicizing this one.


Post a Comment

<< Home