Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Spoofing Bug Puts Passwords At Risk

Posted by Zonk on from the please-keep-the-fox-in-the-pen dept.

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

4 of 157 comments (clear)

  1. An honest Security Bug by pembo13 · · Score: 4, Informative

    Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  2. Youtube video by sucker_muts · · Score: 4, Informative

    Youtube video mentioned in the article:

    http://youtube.com/watch?v=NaCPw1s3GFw

    --
    Dependency hell? => /bin/there/done/that
  3. Some much more informative links by Anonymous Coward · · Score: 3, Informative

    http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

    and

    http://www.kriptopolis.org/falsificando-dialogos-firefox (Spanish)

  4. Re:Show me the demo!! by Kijori · · Score: 4, Informative

    Here it is: http://youtube.com/watch?v=NaCPw1s3GFw I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...