Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Spoofing Bug Puts Passwords At Risk

Posted by Zonk on from the please-keep-the-fox-in-the-pen dept.

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

1 of 157 comments (clear)

  1. Re:Phishing by fmobus · · Score: 2, Interesting

    And also because HTTP authentication dialogs are quite "spoofable" anyway. You can make a phony dialog, whose style matches the system you're targeting. Of course, you can't make it modal like the real one, but most users can't really tell the difference.

    Just like the "lock" on older versions of Internet Explorer. People were taught to look for the "lock" icon on the status bar to assure they are safe. However, if the status bar is disabled (IIRC, it is the bloody DEFAULT), you could fake a status bar with a fake icon.

    Fortunately, IE7 moved the icon to the location bar (a sensible approach, probably learned from OSS browsers like firefox). But yeah, they still ship with a status bar that can be disabled. Go figure.