[hblug] Firefox Flaw Could Let Attackers Fake Connections
Michael Adams
linux_mike at paradise.net.nz
Sat Feb 17 08:58:17 NZDT 2007
Original story
http://www.cbc.ca/technology/story/2007/02/15/tech-firefoxcookiebug-20070215.html
http://www.f-secure.com/weblog/archives/archive-022007.html#00001114
On Fri, 16 Feb 2007 15:57:52 +1300
Perry Spiller wrote:
> Firefox Flaw Could Let Attackers Fake Connections
> Thursday, February 15, 2007 | CBC News
>
> A flaw in the Firefox web browser could trick people into
> thinking they are connected to a trusted site when the
> program is actually receiving data from an attacker.
>
> The vulnerability, which affects all versions of Firefox's web
> browser, could allow a specially designed website to
> manipulate the authentication cookies for trusted websites
> such as an online bank, said F-Secure Corp. of Helsinki,
> Finland, in a post to its security blog. That could allow an
> attacker to steal sensitive information.
>
Fascinating on several counts.
The story doesn't seem to have reached Slashdot or Mozillazine.
My default config (ask if every new site can post cookies) beats it.
Test you firefox here.
http://lcamtuf.dione.cc/ffhostname.html
F-secure are the authors of f-prot antivirus which is a good (read
cheap) business virus checker. Ten licenses for US$50 with discounts for
NPO's and educational institutions. Yet they seem to have in this case
broken one of the cardinal rules of net security. Advise the software
manufacturer first to allow a fix to be engineered before releasing the
news.
More information about the HBLUG
mailing list