The Mozilla Foundation is warning of a critical bug in the new Firefox 2.0 browser that could leave passwords vulnerable to hackers.

The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.

Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.

The flaw was discovered by Robert Chapin of Chapin Information Services and seems to affect all versions of Firefox, and may also affect Microsoft's Internet Explorer.

"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.

"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."

Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.

The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.