Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Spoofing Bug Puts Passwords At Risk

Posted by Zonk on from the please-keep-the-fox-in-the-pen dept.

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

13 of 157 comments (clear)

  1. Phishing by JCSoRocks · · Score: 5, Insightful

    Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
    1. Re:Phishing by jlarocco · · Score: 3, Insightful

      But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

      Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.

      Given that, they should fix this immediately.

      --
      Maybe not
  2. Re:Show me the demo!! by gEvil+(beta) · · Score: 3, Insightful

    Well, he apparently has a demo video up on YouTube (hey, videos are better than nothing). Unfortunately, PCWorld would much rather give me links to searches on their own site instead of a USEFUL link to the actual video...

    --
    This guy's the limit!
  3. Please enter your credentials here: by PrescriptionWarning · · Score: 5, Insightful

    What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.

    1. Re:Please enter your credentials here: by hotrodent · · Score: 2, Insightful

      Agreed, and heck, I'm a big Firefox advocate. But would you react the same way if the fault had been found in IE instead? A bug is a bug and needs to be fixed. Users will ALWAYS be users - that'll never change.

    2. Re:Please enter your credentials here: by Bearhouse · · Score: 2, Insightful

      Indeed. Slightly offtopic, but the really bad thing is that eBay and Paypal do just this, (popup screens across sites). The first time I was asked to verify my Paypal details when trying to pay for something on eBay, I spent a long time noting the different pieces of info, then backed out and rechecked, before submitting any more sensitive info, (Paypal ID and CC numbers).

      Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit the damn info already" habits...

  4. Re:An honest Security Bug by mhall119 · · Score: 5, Insightful

    Look at the type of bugs, not just the number. One spoofing vulnerability does not compare to one remote code execution vulnerability.

    It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.

    --
    http://www.mhall119.com
  5. Who pays attention to realm, anyway? by samjam · · Score: 3, Insightful

    Who pays attention to realm, anyway?

    I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.

    Sam

    --
    blog.sam.liddicott.com
  6. Just wondering by mariuszbi · · Score: 2, Insightful
    AFAIK the passwords sent like this are still plain text, no encryption whatsoever. So the question rises : What site still uses this kind of primitive login?! No commercial sites, I guess. Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form.

    More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the only good bug is a dead one.

  7. Sorry, but I'm calling BS by Anonymous Coward · · Score: 3, Insightful

    I'm having a hard time calling this a *bug*. I would rather call it a presentation problem.

    Then again, what's the problem?

    The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.

    Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/".

    So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
    What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.

    Just my 2 AC cents (too lazy to create an account for just that)

  8. Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!! by Anonymous Coward · · Score: 1, Insightful

    what power?

  9. Re:FF1.5 by dvice_null · · Score: 3, Insightful

    > Here is the real question: How do you really know that your browser is safe at all?

    Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.

    That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.

  10. Re:Show me the demo!! by MMC+Monster · · Score: 2, Insightful

    Especially when the sentence says that a link to the video is provided.

    I'm certainly not following any other links from their site. I'd probably end up on goatse.cx or something.

    --
    Help! I'm a slashdot refugee.