A vulnerability in Firefox handling of saved passwords has been announced today. The vulnerability allows Firefox to autofill saved credentials no matter where they are being submitted.

As shown in a test case attached to the relevant bug, as long as similar forms are published in the same web site credentials are retrieved. Robert Chapin, the original reporter, encountered this vulnerability while surfing around MySpace.com, the popular social web site. He visited a user’s profile and was prompted there with a web form resembling MySpace’s typical log on form. Since the form was hosted at MySpace, Firefox autofilled the fake form. A glitch in the fake web form alerted Chapin and saved him from a, somewhat trivial in this case, identity theft.

Users must me aware and act cautiously. Double check autofilled forms and don’t submit credentials from atypical locations, specially where another user may have edited the content such as a web forum post, user profile.

However if you prefer to stay in the safe side of this issue, you better disallow password saving in Firefox:

• In the Tools menu, select Options…
• In the Security page, uncheck Remember passwords for sites

I checked other browser and found that SeaMonkey 1.0.6 has the exact same behavior, which is no surprise having so much in common with Firefox. Internet Explorer 7 doesn’t automatically fills the fake form in the test case, but lists the credentials as if it was the real one. Opera 9.02 Wand, its password management tool, correctly differentiates them and doesn’t autofill the fake form.