The recently discovered flaw affects the latest release of Firefox, version 2.0, and by exploiting it, an attacker could obtain sensitive data from the user, such as usernames and passwords.
The bug was discovered by Robert Chapin, a Microsoft Certified Engineer who, because this is a new form of attack, named it “reverse cross-site request” (RCSR).
The flaw takes advantage of Firefox’s Password Manager feature which can be exploited to send a username and password combination to an attacker’s computer without the user’s knowledge. This is possible because Password Manager doesn’t check the authenticity of the URL before sending the information to the website.
The RCSR attack could also affect Internet Explorer but it’s more likely to succeed on Firefox because Internet Explorer will not automatically be transmit passwords unless the RCSR form appears on the same page as a legitimate login form.
In order to prevent the effects of the exploit, users are advised to disable the Password Manager feature in Firefox by simply untick the “remember passwords for sites” box in the browser’s options, under security tag.
The Password Manager feature is used by a large number of web surfers as it provides a convenient and comfortable way of remembering and entering passwords for different web sites. Unfortunately, as other tools which are meant to offer a certain amount of comfort in frequent human activities, this one proves to be a security issue in the end, enforcing the opinion that the more comfortable you are, the most insecure you become.