The problem, known as a reverse cross-site request, or RCSR, appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.
On sites that allow users to enter code, a hacker can embed a form that tricks the user's browser into sending its username and password information to the hacker's computer. Because the form is embedded on a trusted Web site, the browser's built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.
Even worse, hackers can make the deceptive form invisible, meaning users can transmit their private data without even knowing it.
Mozilla has acknowledged the problem and named it bug #360493. Microsoft has also admitted that RCSR attacks can affect Internet Explorer, but most reports indicate that Firefox is the more likely target because of the way it stores usernames and passwords.
Neither Mozilla nor Microsoft has released a patch for the problem, but users can avoid RCSR attacks simply by disabling their browsers' autosave features for usernames and passwords. In Firefox, the feature is found in the "Options" window under the "Tools" menu.