aM i LoST ?

Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a flaw in the Firefox Password Manager could enable hackers steal your login data.

The problem, known as a reverse cross-site request (RCSR)was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.

On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.

Even worse, hackers can make the deceptive form invisible, meaning users can transmit their private data without even knowing it.

Bug #360493

The Mozilla Foundation has acknowledged the problem and named it bug #360493. Microsoft has also admitted that RCSR attacks can affect Internet Explorer, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.

No patch has yet been released for the problem, but you can avoid reverse cross-site request attacks by simpy disabling your Firefox 2.0 autosave features for usernames and passwords. This feature is found in the “Options” window under the “Tools” menu.

Mozilla has indicated that it plans a fix in Firefox version 2.0.0.1 or 2.0.0.2.