Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Spoofing Bug Puts Passwords At Risk

Posted by Zonk on from the please-keep-the-fox-in-the-pen dept.

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

10 of 157 comments (clear)

  1. Show me the demo!! by Prairiewest · · Score: 5, Funny

    Too bad he doesn't want to show an online demo of this, I was kind of getting used to being able to try out these kinds of exploits in my own browser. Call me masochistic.

  2. pssst by Anonymous Coward · · Score: 1, Funny

    If you post a message in slashdot containing your username in the first line, your password in the second and three blank lines below, "PWND" without the quotes in the subject line, and post it using Extrans you will get loads of karma. It worked for me.

    1. Re:pssst by zsouthboy · · Score: 4, Funny

      All my passwords are hunter2 anyway.

    2. Re:pssst by pcgabe · · Score: 2, Funny

      All your passwords are what? I just see a bunch of asterisks.

      --
      Don't put advice in your sig.
  3. Re:PWND by mpathetiq · · Score: 2, Funny

    It must have worked, I've got Excellent Karma!

    --
    Post-rock/Ambient/Drone and other noise.
  4. Not to get too technical, but... by thegnu · · Score: 5, Funny

    I wonder how many bugs have not been discovered yet.

    All of them. No wait, let me check...

    Yep, all of them!
    --
    Please stop stalking me, bro.
    1. Re:Not to get too technical, but... by blackjackshellac · · Score: 4, Funny

      Reminds me of this joke,

      We were traveling by plane at half the speed of smell and got passed by a kite.
      Then one of the two engines failed. And the guy sitting next to me went nuts
      and asked how far the other engine would take us. All the way to the scene of the
      crash, I told him. But we'll beat the paramedics by 35 minutes.
      -- Ron White

      --
      Salut,

      Jacques

  5. Denial is the best option by Anonymous Coward · · Score: 3, Funny

    As with all FOSS, the first course of action needs to be very vocal denials. It's always worked in the past... after all, would anyone be using Firefox if we were honest from the start about all the gaping security holes, buffer overflows, and the over 300 memory leaks? Not likely, especially since IE7 is both more stable and secure... and most people already have it on their computers! Also, now IE8 is coming down the pipe, we won't be able to use the "itz notz teh stadtards komplient!!11!!1!" whine. IE8 could very well be the final nail in our coffin... unless we keep lying and spinning to increase Firefox's market share (or at least not lose too much).

    So really, we have to deny early and often. And hey, this is FOSS: fixing problems is really secondary. If they don't like it, let them go buy something, the cheap bastages. You get what you pay for.

  6. Re:An honest Security Bug by snoyberg · · Score: 3, Funny

    You have to listen to him, he made a car analogy. ... I'm just joking, it really was a good analogy.

    --
    Thank God for evolution.
  7. Re:An honest Security Bug by KlaymenDK · · Score: 4, Funny

    I liked the paper/dynamite analogy way better. New, graphic, and even explosive. That's the kind of analogies we should promote! :-D

    --
    "Good news, everyone!"