home contact keylogger.org add keylogger.org to favorites set keylogger.org as homepage Anti-Keylogger.org
Keylogger testing and reviews

Keylogger testing policy

Press-releases

Keylogger developers

Links 		Monitoring Software Keylogger articles

Get Free Software

Keylogger chat

Keylogger forum

Sponsorship & services
Advertising
Your Ad Here
Site News
Current section
Keylogger.Org Site News

October 17, 2008

New version of KeyProwler Pro added!
Security World News
Keylogger.Org Security World News

November 20, 2008

International Challenges in PCI Security

Security firm Finjan raises $22 million

iTunes customers angry over copy protection moves at Apple

Have lessons of last year's HMRC fiasco sunk in?

Secerno and F5 hook up on network security

Mozilla warns of Firefox China add-on

Google opens up for mashup security

Cotton Traders tightens credit card protections

Gov't: Most biometric checks will bypass ID database

Antivirus firms unfazed by free Microsoft product

Teenager pleads guilty to botnet, 'swatting' charges

How much does spam cost you? Google will calculate

Feds urged to provide cybersecurity incentives

Fortinet beefs up midrange FortiGate security appliance
Voting

We are planning to redesign our site. We would like You to express your opinion in this respect. Would you like to leave the site as it is? What changes would you like to suggest?

Yes, I like the site as it is.
It's ok, but some changes are necessary.
It should be changed completely.
VotingView results
DISCLAIMER: Logging other people's keystrokes or breaking into other people's computer without their permission can be considered illegal by the courts of many countries. The monitoring software reviewed here is ONLY for authorized system administrators and/or owners of computers. We assume no liability and are not responsible for any misuse or damage caused by the keylogging software. The end user of this software is obliged to obey all applicable local, state, federal and other laws in his country of residence.

November 23, 2006

Firefox, IE vulnerable to fake login pages?

Mozilla's Firefox 2 and Microsoft's Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords.

Dubbed a reverse cross-site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users' passwords and usernames by presenting them with a fake login form. Firefox Password Manager will automatically enter any saved passwords and usernames into the form.

The data is then automatically sent to an attacker's computer without the user's knowledge, according to the Chapin Information Services site.

An exploit for this flaw has already been seen on social-networking site MySpace.com, and it could affect anyone using a blog or forum that allows user-generated HTML code to be added, according to Chapin.

‘Users of both Firefox and Internet Explorer need to be aware that their information can be stolen in this way when visiting blog and forum Web sites at trusted addresses,’ Chapin said.

According to security company Netcraft, which discovered the exploit being used on MySpace, a fraudulent login page was hosted on the company's own servers.

As the page did not exhibit any signs of external content, such as cross-site scripting (XSS) or open redirects, it is ‘convincing, and even security-conscious users are at risk of becoming victims,’ CIS said.

The attack was launched from a profile page, and it used specially crafted HTML to hide the genuine MySpace content from the page and instead display its own login form.

According to Chapin, an RCSR attack is much more likely to succeed than an XSS attack because neither Internet Explorer nor Firefox is designed to check the destination of form data before the user submits them. The browser doesn't sound an alarm because the exploit is conducted at the trusted Web site.

Two weeks ago, CIS reported to Mozilla that the Firefox Web browser will automatically fill saved usernames and passwords into RCSR forms. Attacks are more likely to succeed in Firefox because Internet Explorer will not automatically fill in saved usernames and passwords, unless the RCSR form appears on the same page as a legitimate login form.

No fix had been issued by Mozilla at the time of writing, though a bug report has been filed. The organization is reportedly working on a fix for Firefox 2, but it's not clear whether earlier versions are also affected. Security company Secunia has advised users to disable the ‘Remember passwords for sites’ option in Firefox preferences.

To take advantage of the flaw, a malicious hacker would have to create a fake login form on a trusted Web site. CIS has recommended that all Webmasters review their server code for the possibility of XSS and RCSR injections, especially operators of encrypted Web sites.

‘These attacks could be highly effective against firewalled local network servers and HTTPS addresses that are not otherwise accessible because the attacker does not need direct access,’ the CIS site said.


Source: CNET News




All news for November 20, 2008:
13:26International Challenges in PCI Security
13:22Security firm Finjan raises $22 million
13:21iTunes customers angry over copy protection moves at Apple
13:18Have lessons of last year's HMRC fiasco sunk in?
13:16Secerno and F5 hook up on network security
13:15Mozilla warns of Firefox China add-on
13:13Google opens up for mashup security
13:12Cotton Traders tightens credit card protections
12:58Gov't: Most biometric checks will bypass ID database
12:57Antivirus firms unfazed by free Microsoft product
12:55Teenager pleads guilty to botnet, 'swatting' charges
12:54How much does spam cost you? Google will calculate
12:54Feds urged to provide cybersecurity incentives
12:49Fortinet beefs up midrange FortiGate security appliance

All news for November 19, 2008:
13:51Cybersecurity is focus of new University of Texas start-up incubator
13:50Branch office security, traffic management get a lift
13:49Latest robots showcase security, teaching skills
13:46Will Microsoft's antivirus move draw antitrust fire?
13:45Unisys survey looks beyond cybersecurity
13:41UK citizens ready for biometrics
13:41Global firms ignoring web-based threats
13:40Imprivata improves access management
13:39BNP membership details leaked online
13:32Virus downs systems at three London hospitals
13:32Microsoft replaces OneCare with free product
13:28Hosting firm takedown bags 500,000 bots
13:27Court halts sale of spyware program



All news for November, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year

DONATION: Keylogger.org is an independent research project supported by a team of enthusiasts. If you find this project useful or would like to help foster its continued development please consider making a donation using PayPal`s online secure payment service.

A PayPal account is not required. All major credit cards are accepted (MasterCard/Eurocard, Visa/Delta/Electron, American Express, Switch/Maestro, Solo). Simply click the button below.

Any amount would be useful and appreciated!

Thanks in advance for your support!

Advertising
| home | testing and reviews | testing policy | press_releases | developers |

| articles | contest | chat | forum | sponsorship & services | contacts | links |
Copyright © 2003-2008, Keylogger.Org Team. All Rights Reserved.
Use of any information from this website is permitted only with hypertext link to www.keylogger.org.