I’ve been so busy this past week with work I have not had a chance to keep up on the latest Firefox/Mozilla news. Earlier this week a major vulnerability was exposed for Firefox 1.5.0.8, 2.0, 2.0.0.1pre (not sure about 3.0a1pre) and SeaMonkey 1.0.6:
“A vulnerability in Firefox handling of saved passwords has been announced today. The vulnerability allows Firefox to autofill saved credentials no matter where they are being submitted.
As shown in a test case attached to the relevant bug, as long as similar forms are published in the same web site credentials are retrieved. Robert Chapin, the original reporter, encountered this vulnerability while surfing around MySpace.com, the popular social web site. He visited a user’s profile and was prompted there with a web form resembling MySpace’s typical log on form. Since the form was hosted at MySpace, Firefox autofilled the fake form. A glitch in the fake web form alerted Chapin and saved him from a, somewhat trivial in this case, identity theft.” – Mozilla Links
More technical discussion can be found on Bugzilla (Bug 360493). Also more info on the mozillaZine Firefox Bugs Forum.
As a security precaution it is advisable for users to disable the auto-filling of passwords until this issue is fixed. From the Tools menu, select Options…, on the Security tab, uncheck Remember passwords for sites. At this time I am not sure if this is going to be in the Firefox 1.5.0.9 & 2.0.0.1 updates scheduled for December 14th.
IE7 is also vulnerable.
I have heard rumors IE7 was at well. Opera is suppose to be immune to this as it uses a different method for filling passwords.