Sticky Password Manager prevents RCSR attacks

On 21 Nov, 2006 Chaplin Information Services (CIS) has discovered a new flaw in the Mozilla Firefox web browser that exposes saved passwords to clever attackers. Given the new nature of this type of attack, CIS has named this a Reverse Cross-Site Request (RCSR) vulnerability. This flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added.

RCSR attacks are also actively targeting Microsoft Internet Explorer, however a flaw in Firefox makes the attack much more likely to succeed. The Password Manager component of FireFox can be exploited to send a username and password combination to an attacker's computer without the user's knowledge.

A recent large-scale attack using RCSR targeted MySpace.com users and was first reported by Netcraft 10/27/2006. That incident involved fake login forms on the MySpace website inviting users to type in their username and password.

Mozilla has confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2, but there is no any positive feedback from Microsoft.

A proof-of-concept demonstration is available at the CIS website.

Developers of Sticky Password Manager have tested product for RCSR vulnerability and confirm - latest version of Sticky Password Manager successfully prevents RCSR attacks in Mozilla Firefox and Internet Explorer web browsers.