Slashdot Mirror
Firefox Spoofing Bug Puts Passwords At Risk
hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"
Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Youtube video mentioned in the article:
http://youtube.com/watch?v=NaCPw1s3GFw
Dependency hell? =>
A spanish website with screenshoots of how this is handled by IE6, Firefox, Opera and Konqueror: http://www.kriptopolis.org/falsificando-dialogos-firefox
exp(i*pi)+1=0
Because the realm is the identifying element of authentication. The username/password combo automaticly resent if the realm matches.
So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.
If another site mimics the exact realm, the username/password is sent to that site as well.
Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks
the pun is mightier than the sword
http://youtube.com/watch?v=NaCPw1s3GFw
http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
and
http://www.kriptopolis.org/falsificando-dialogos-firefox (Spanish)
The power of voodoo, duh.
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.
The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.
On the other hand, Basic authentication isn't widely used, so I guess most people wouldn't encounter ill effects of such a "feature", and most browsers only remember passwords based on the domain name anyway. The chances of anyone accessing a legitimate site that uses Basic authentication and then accessing an illegitimate site that happens to use the exact same realm name in the same browser session are pretty remote. Still, it seems a bit too simplistic for the modern web.
I've no idea how old that entry is, but I really do suspect it dates from earlier, simpler times. The server doesn't provide a Last-Modified header and I couldn't see a datestamp anywhere in the file.
Here it is: http://youtube.com/watch?v=NaCPw1s3GFw I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...
This only works on the actual HTTP authentication stuff, not web forms.
No mainstream site uses it so they'll probably get confused rather than enter in their password.