Jawed’s Blog

Friend: calls your parents by mr. and mrs.
Best friend: calls your parents dad and mom.

Friend: has never seen you cry
Best friend: has always had the best shoulder to cry on

Friend: never asks for anything to eat or drink
Best friend: opens the fridge and makes themself at home

Friend: picks you up when you fall
Best Friend: laughs at you and trips you again

Friend: asks you to write down your number.
Best friend: they ask you for their number (cuz they can’t remember it)

Friend: borrows your stuff for a few days then gives it back.
Best friend: has a closet full of your stuff

Friend: only knows a few things about you
Best friend: could write a biography on your life story

Friend: will leave you behind if that is what the crowd is doing
Best friend: will always go with you

Friend: would igonre this post after reading
Best friend: will send link to this post to me and all of their online buddies

A security flaw has been discovered in Mozilla Foundation’s Firefox 2 and Microsoft’s Internet Explorer 7 web browsers. Hackers can use this flaw to capture the username and password of users.

Firefox’s Password Manager Software seems to be the source of the flaw. This software automatically fills the username and password into another login page. A hacker can make use of this flaw by creating a fake login page and the browser would be tricked into providing the username and password.

This can be done on sites that allow user created pages such as blogs and forums. This method was used on the social networking site MySpace reported late October. The hacker registered a username with MySpace and used it to host a fake login page. Users who accessed MySpace using Firefox thereafter had their information compromised.

This flaw has been named Reverse Cross Site Request vulnerability (RCSR) by Robert Chapin, who detected this flaw. RCSR poses a greater threat than Cross-site scripting (XCS) as the page is more convincing and shows no sign of external content or open redirects. The reason why RCSR succeeds in Firefox and IE is that both the browsers do not check the destination server, where the password is being sent. Besides since such a reversal happens at a trusted site the browser brings up no alerts.

Robert Chapin has provided a detailed description of the type of attack that can happen and a presentation of how it works on his site. The site also warns that firewalled local network servers and HTTP addresses that are not generally accessible are most vulnerable to these attacks as the hacker does not require direct access.

Though Firefox has been proven to be completely vulnerable to this attack IE seems to have a better defense. IE will not automatically fill the username and password till it accurately checks the source of the login form. Hence it will be tricked only if the RCSR page appears on the same page as a legitimate login page.

A bug report regarding this flaw has been filed with Mozilla but no fix has yet been found. Security experts have recommended that Firefox’s Password Manager be disabled and the Master Password Timeout extension be installed.

This extension locks the master security device after a specific period of inactivity. Users have also been advised to disable the Remember password for sites option in Firefox.

For some days I have been receiving mails sent to other address the difference between that address and mine is a single dot. When I researched further, I found that its a functionality, how GMAIL works. Read from here.

According to google, Gmail doesn’t recognize dots (.) as characters within a username. This way, you can add and remove dots to your username for desired address variations. Messages sent to your.username@gmail.com and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are delivered to the same inbox, since the characters in the username are the same. But you have to use dot in order to log into your account.

They shouldn’t allow dots at first place, if this was the case. If you have an email address that has dot in it then change it ASAP. You might be loosing confidential data to someone else.

Does this mean Google mail is not secure?