I’ve been so busy this past week with work I have not had a chance to keep up on the latest Firefox/Mozilla news. Earlier this week a major vulnerability was exposed for Firefox 220.127.116.11, 2.0, 18.104.22.168pre (not sure about 3.0a1pre) and SeaMonkey 1.0.6:
“A vulnerability in Firefox handling of saved passwords has been announced today. The vulnerability allows Firefox to autofill saved credentials no matter where they are being submitted.
As shown in a test case attached to the relevant bug, as long as similar forms are published in the same web site credentials are retrieved. Robert Chapin, the original reporter, encountered this vulnerability while surfing around MySpace.com, the popular social web site. He visited a user’s profile and was prompted there with a web form resembling MySpace’s typical log on form. Since the form was hosted at MySpace, Firefox autofilled the fake form. A glitch in the fake web form alerted Chapin and saved him from a, somewhat trivial in this case, identity theft.” – Mozilla Links
As a security precaution it is advisable for users to disable the auto-filling of passwords until this issue is fixed. From the Tools menu, select Options…, on the Security tab, uncheck Remember passwords for sites. At this time I am not sure if this is going to be in the Firefox 22.214.171.124 & 126.96.36.199 updates scheduled for December 14th.