Security

Password flaw hits Firefox and Safari

Serious flaw found in Safari

Firefox update reaches 150 million downloads in 24 hours

Apple slides security fixes into Safari update

Safari 4 storms out the gates

Breaking Stories

Australia wants IT professionals

McAfee glitch causes havoc for IT admins

DIY data centres

Windows 7 rumoured ready for manufacturing

Vale Internode Unwired customers

The latest versions of Firefox and Safari contain a password management security flaw that could allow certain websites to access stored usernames and passwords.

A message on the Full Disclosure mailing list warned that users who have either browser configured to remember passwords, and have JavaScript enabled, are at risk.

Mozilla fixed a similar reverse cross-site scripting flaw in Firefox last November, but this was a lot more serious as it did not require JavaScript to be enabled.

Heise Security has a demonstration of the vulnerability on its website to allow users to determine whether they are vulnerable to the attack.

However, some developers and commentators have questioned whether this constitutes a vulnerability in the browser, as it requires the attacker to place malicious code on the web server.

If an attacker can place script code on a server, they would be able to manipulate the pages anyway, and would have other ways to steal user access data.

Until a fix is released, users are urged to disable JavaScript in their browser or avoid the use of the password manager on sites where users are allowed to post JavaScript pages.

Comments

Be the first to comment on this article.

Thoughts on this article? Add a comment below.

Comment:

Want to participate in the discussion?

Or log in now to comment

Ads by Google

Top Stories

Basslink lights up with commercial traffic

Calls for second independent cable.

Bluetooth "Big Brother" tracks festival-goers

Might have retail and security applications.

But dollars depend on demand.

Spotlightthe topics we're following

Latest Comments

""The researchers will only track the devices' MAC address -- a number that identifies each ..."

on Bluetooth "Big Brother" tracks festival-goers

by forcedregsucks Jul 6, 2009 9:34 PM

" Erin Kutz wrote: A tiny fraction of those who use the fast-growing social network phenomenon ..."

on Just a few on Twitter do all the tweeting - study

by Slatts Jul 6, 2009 8:58 AM

"I'm thinking there was some robust discussion in the Sawers household when Sir John got home ..."

on British spy chief's cover blown on Facebook

by Slatts Jul 6, 2009 8:41 AM

"Well... that seems disturbing but I just can't seem to put my finger on why. I think it just ..."

on Aussie firm sells Twitter followers

by Slatts Jul 6, 2009 8:35 AM

"I'm kind of assuming that the water was used in water cooled condensers for the air-conditioning...."

on Macquarie data centre loses water supply

by Slatts Jul 2, 2009 8:54 PM

Polls

What will you do when your iPhone contract comes up for renewal?

Retain my current service provider
Switch to a cheaper plan
Switch to a better network
Switch to whoever offers free tethering
Change handset altogether

| View results

Retain my current service provider

11%

Switch to a cheaper plan

18%

Switch to a better network

17%

Switch to whoever offers free tethering

18%

Change handset altogether

35%

TOTAL VOTES: 207