Firefox Spoofing Bug Puts Passwords At Risk

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

impossible!

open source is so secure this could never happen, mein fuhrer!

An honest Security Bug

[pembo13]

Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.

Re:An honest Security Bug

[bogaboga]

I am inclined to conclude that Firefox is not as secure as first thought. Of late, I have seen more security related bugs on Firefox than Windows Internet Explorer. I hope I am wrong.

I wonder how many bugs have not been discovered yet.

Re:An honest Security Bug

[mhall119]

Look at the type of bugs, not just the number. One spoofing vulnerability does not compare to one remote code execution vulnerability.

It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.

Re:An honest Security Bug

I wonder how many bugs have not been discovered yet. and how many IE bugs will NEVER be discovered (except by the people exploiting them) because no one can see the code.
just the fact that this bug has been discovered and can now be fixed is a plus for firefox

Re:An honest Security Bug

[snoyberg]

You have to listen to him, he made a car analogy. ... I'm just joking, it really was a good analogy.

Re:An honest Security Bug

Lexuses are Toyotas.

Re:An honest Security Bug

yeah, keep being an open source apologist. we see through all of that.

Re:An honest Security Bug

[KlaymenDK]

I liked the paper/dynamite analogy way better. New, graphic, and even explosive. That's the kind of analogies we should promote! :-D

Re:An honest Security Bug

What about all of the bugs that MS fixes that are never even mentioned anywhere? Sure there are bugs in IE that are discovered and announced by someone outside of MS. There are also bugs that MS find and MS's teams of lawyers and marketing/PR people have deemed appropriate to announce to the worlds. There are then the bugs that their lawyers and marketing/PR people have deemed inappropriate to announce to anyone. Most (not all, never all) of those bug fixes eventually get rolled up into a service pack, or if MS's marketing/PR and lawyer teams think it would be good PR to announce a critical bug and fix they do so with a hot fix.

The difference with Firefox/Mozilla/Linux/et al is that they are open and the bugs are not hidden and the bugs are all eventually fixed.

I take all surveys, graphs, charts, studies, etc with a grain of salt. Any bean counter can contort those numbers to mean anything. MS can decide to announce a certain number of bugs to make it appear as if they have had fewer bugs in their software over the last year than competing products. Until MS becomes translucent, never believe the hype that they have fewer bugs than their competition. I'm not saying they don't, I'm just saying, don't believe it. Don't believe anything you cannot verify yourself. The same could be said for politics and government.

Re:An honest Security Bug

Yea. 'Cos all those eyes looking at the code certainly saw this one. Must've been hiding in the memory_leaker class.

Re:An honest Security Bug

That word "Lexus" is pronounced "Licks-ass". Just FYI.

Re:An honest Security Bug

Very good analogy, except hey, wait, Toyota and Lexus are the same company...

Re:An honest Security Bug

[Blakey+Rat]

Would be nice if there was a screenshot of what this mysterious "realm" dialog box looks like. I can't be the only person who has no clue what he's talking about, can I?

Re:An honest Security Bug

[joeytmann]

If you are dumb enough to be duped into giving away your Toyota, thats your fault. If however a thief were to come into my garage and drive away with my Lexus because keys can easily be copied....I blame Lexus and I expect them to fix the problem so it doesn't happen again.

Re:An honest Security Bug

[lena_10326]

Re:An honest Security Bug (Score:0, Troll)

You blasphemed. Don't test the FOSS God.

Re:An honest Security Bug

[xero314]

This is both old news and a very week exploit. The fact that firefox is built with XUL which it can also render has made it vulnerable to these exploits since day one. There are already examples out there of "Web Sites" (XUL applications) that can cause a pop up window that look and work just like a new browser windows except that they can filter the content entered into any field in the browser or other site to any where else fro tracking and stealing of information.

Re:An honest Security Bug

and you call that a WEAK exploit. FFS, so a web site being able to completely fool a user to enter credentials is now considered a weak exploit in the firefox world, and people blast MS for not taking security seriously.

Re:An honest Security Bug

[andruk]

I think I'm going to let second sentence just fail all on its own.

Re:An honest Security Bug

[rainman_bc]

Why? Firefox's memory management is truly ass. I do not think a web browser should ever consume 400MB of RAM - it's bad.

I've tried all the different changes to the settings and it still is ass. I run it on my mac, and with four tabs open it's taking over 100MB:

user 114 0.7 11.2 542940 117764 ?? S 8:54pm 5:59.26 /Applications/Firefox.app/Contents/MacOS/firefox-bin -psn_0_77843

11.2% of my RAM is consumed by firefox, and that's only with four tabs open.

Re:An honest Security Bug

[andruk]

I probably wasn't clear. Firefox memory leaks do suck, I wasn't debating that. I was talking about the fact that somebody in the community had caught the bug. ;-)

Re:An honest Security Bug

[xero314]

First of all I was calling the exploit in the article weak. It requires you to use a link on the exploiting site that links to some secure site that you would use. That is just down right stupid. If you didn't type the address into you address bar you deserve to be exploited.

The Exploit I mentioned, browser spoofing, is more sever, but also applicable to any browser that does not specifically signify a popup as being a popup, and supports any decent rendering engine. With a popup and some good CSS/JS work someone could make any website look just like the browser it was accessed from. This is still not a major issue because it requires the user to do a couple foolish things. The real exploits are the ones that allow attackers to take control of a system with the user having done anything foolish (like browsing untrusted sites or using a popup window as the primary browsing window after it pops up).

Show me the demo!!

[Prairiewest]

Too bad he doesn't want to show an online demo of this, I was kind of getting used to being able to try out these kinds of exploits in my own browser. Call me masochistic.

Re:Show me the demo!!

[gEvil+(beta)]

Well, he apparently has a demo video up on YouTube (hey, videos are better than nothing). Unfortunately, PCWorld would much rather give me links to searches on their own site instead of a USEFUL link to the actual video...

Re:Show me the demo!!

http://youtube.com/watch?v=NaCPw1s3GFw

Re:Show me the demo!!

[Kijori]

Here it is: http://youtube.com/watch?v=NaCPw1s3GFw I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...

Re:Show me the demo!!

[MMC+Monster]

Especially when the sentence says that a link to the video is provided.

I'm certainly not following any other links from their site. I'd probably end up on goatse.cx or something.

Re:Show me the demo!!

[euxneks]

Mod parent up please, the stupid links to pcworld tag pages are extremely annoying and unhelpful - I think they're doing it for some form of SEO...? Or something, becuase it's not useful to the end user.

Re:Show me the demo!!

[Kelson]

What would be nice about an online demo is that you could then test it in other browsers. Since this is an issue with the user interface, not the rendering engine, so it's possible that, say, Seamonkey or Camino might approach the situation differently (not to mention Opera, Safari, etc.)

Fortunately, it's pretty simple to just point a browser at a site that uses basic auth and see what the dialog looks like. Opera shows the site and message on separate lines with a "Label: Text" scheme, which would make this sort of phishing tricky. Konqueror 3.5 seems to use a similar format to Firefox, stringing them together as "Message at Hostname"

Phishing

[JCSoRocks]

Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

Re:Phishing

[jlarocco]

But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.

Given that, they should fix this immediately.

Re:Phishing

Please - learn how to spell. loose != lose. Agreed. So please learn that "login" is a noun and "log in" is a verb.

Tip: You don't say, "I loginned to the site" [should be: "logged in"] or "I have logsin for 3 different sites" [should be: "logins"], do you?

Cheers.

Re:Phishing

[JCSoRocks]

Oh curse you AC! You are indeed right. that's what I get for trying to be close to having the first post. :)

Re:Phishing

[somersault]

The kind of person that falls for phishing is screwed in life anyway. Firefox 'zealots' simply recommend an easily-better-than-IE browser to their friends and associates, and a lot of them will just happen to be people with no common sense.

Re:Phishing

[JCSoRocks]

FireFox is definitely marketed as being more secure. However, there are certain things that people just shouldn't do. Taking the time to read and respond to all the spam they get, for example. Following links to trusted sites is another one. Do you download gobs of awesome free screen savers and clocks and smiley face making programs? no. Why? because you know they're full of crapware. Same thing.

I said that it should be patched in my original post, but my point was that this is just a way to do a phishing scam. It's not like there's a bug in FireFox that lets anyone just sniff your password when you're entering it into a legitimate site.

Re:Phishing

[morgan_greywolf]

It has nothing to do with forms-based login pages like GMail or banks use. It has to do with the 'basic auth' dialog like what gets presented to you when you login to your average LinkSys router or the 'control panel' applications that many shared hosting providers use like 'CPanel'.

And such attacks could be used in combination with stuff like DNS spoofing -- take over your ISPs DNS server and myhostingprovider.com goes where the h4x0r wants it to go.

Re:Phishing

[B3ryllium]

They're taking advice from nerds. If this doesn't show a lack of common sense, I don't know what does.

(Sticking a tie in an electric hand mixer - while wearing the tie - runs a close second)

Re:Phishing

[cheater512]

This only works on the actual HTTP authentication stuff, not web forms.
No mainstream site uses it so they'll probably get confused rather than enter in their password.

Re:Phishing

[somersault]

I dunno, if the RIAA took advice from nerds and embraced digital downloads rather than fighting tooth and nail against them, then they'd be doing a lot better for themselves.

Re:Phishing

[fmobus]

And also because HTTP authentication dialogs are quite "spoofable" anyway. You can make a phony dialog, whose style matches the system you're targeting. Of course, you can't make it modal like the real one, but most users can't really tell the difference.

Just like the "lock" on older versions of Internet Explorer. People were taught to look for the "lock" icon on the status bar to assure they are safe. However, if the status bar is disabled (IIRC, it is the bloody DEFAULT), you could fake a status bar with a fake icon.

Fortunately, IE7 moved the icon to the location bar (a sensible approach, probably learned from OSS browsers like firefox). But yeah, they still ship with a status bar that can be disabled. Go figure.

Re:Phishing

[ConceptJunkie]

Taking advice from nerds on topics in which the nerds are experts shows a great deal of common sense.

Taking advice from nerds (or anyone else) on topics in which they are not experts is the problem. That's why I have a problem with politics because most of the things being advised by politicians are being advised by people who have little or no expertise in the subject at hand. Seeking foreign policy advice from Senator Obama or Governor Huckabee, for instance, shows a lack of common sense. Seeking advice on how to make tons of money hawking doom and destruction from Al Gore is a very good idea. Seeking advise on how to tick off not only your political opponents here and abroad but all the people who elected you in the first place from President Bush is bound to get you the best information on the planet.

If nerds suggest you use Firefox, I think that's a good idea. I'm a nerd and I promote Firefox among my non-techie friends and family, and I know what I'm talking about.

Re:Phishing

[Burz]

Yes, and the status bar is important for checking a link's URL before clicking on it.

Re:Phishing

[bl8n8r]

> If I want to go to gmail, my bank, whatever,
> I'm definitely not going to follow a link from some random website or e-mail.

The bigger picture is coupled with XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) or a writeable web root*, you could be redirected without even knowing it. Malware could also drop a local web page on your computer and redirect you there to offer up the exploit. How about when you purchase things on Ebay and click "Continue to my PayPal account". For every person like yourself who is extra careful, there are 1000 people that are not**. This is why exploits like this are such a big deal.

[*] - http://blogs.zdnet.com/security/?p=15
[**] - http://en.wikipedia.org/wiki/Storm_botnet

Re:Phishing

[Odiumjunkie]

> And also because HTTP authentication dialogs are quite "spoofable" anyway.

This reminds me of something I've been meaning to investigate for a while now.

If you use Firefox to store your passwords for various sites using its password manager, you have the option of setting a "Master Password" - a password that is used to encrypt your stored passwords on disk as a security precaution. Each time you start an instance of firefox, if you browse to a site for which you have a stored password, firefox will ask you for the master password so it can decrypt the stored password for the site and autocomplete it for you.

So, this is my concern - how hard would it be to fake this security dialogue with javascript and store whatever the user entered?

http://img178.imageshack.us/img178/9444/slashdotcu7.png -- screencap of the security dialogue

Re:Phishing

[fmobus]

Well, a website could fake this, but the attacker would still need access to the cyphertext containing the other passwords to do something useful. Presumably, this requires filesystem access on computer running that browser (either physically or remotely) and that alone is a much more serious problem. With file system access, one could perform evil instrumentation in a variety of points: replacing firefox executable, replacing DNS entries, or even keylogging.

Re:Phishing

[hackstraw]

It pisses me off that my bank recently moved its login page to a https page.

My bank!!!

I phoned them and complained, and they said it was no big deal.

Well, its on an https page now.

I'm thinking that their logic is that the browser warns the user (usually once, then they turn it off) that they are sending information via a nonsecure page if the handler is not an https server. Call me paranoid, but I want my login page encrypted.

Re:Phishing

[MillionthMonkey]

How hard would it be to fake this security dialogue?

Probably easy, with a float. But you can tell half the time because the guys who write these things can't seem to get through a sentence like "Please enter the master password for the Software Security Device" without misspelling at least three words. And they would make it look like an IE dialog. (I'm either using FF or Safari and I get fake IE dialogs all the time.)

Firefox Password Manager fell victim to an attack in late 2006. Its mistake was based on the assumption that all pages on a given site can be credentialed using an all-or-nothing policy for the domain, which doesn't work within a heterogeneous ghetto like myspace. It sometimes has the reverse problem with certain sites that use load balancers- it's has issues figuring out which passwords are the correct ones to prepopulate based on the URL. It also has issues with figuring out who you are, if you're sharing the computer with other people and you're not setting up individual profiles in Firefox.

I never use a browser to store passwords; I prefer Password Safe instead. It also uses a master password to encrypt stored passwords in a password file on disk. It's a tiny little program; the (old) version I have doesn't even have an installer although it does need a JVM. (I back up the file and the program itself on a USB key that I keep stuffed in my mattress.) You can export Firefox Password Manager passwords to a file, but with Password Safe you're directly keeping everything in sync by opening the encrypted file for all views or edits. Automatic URL recognition isn't a problem because it doesn't even make an attempt- it figures you can do that yourself. Everything is done manually. You reach a site, forget your password, open the file and enter the unlock master password, click on the entry for the site as you named it, click show password, close the program, and type it into the browser. If you share a Firefox user profile with other people, just make a separate password file. It's not as convenient as the browser-integrated mechanism, but security is clunky in general. I'd rather keep that stuff outside the browser, in case my laptop is stolen, or beer is spilled on it, or I switch to another browser, or I'm not using a browser. I have to remember a ton of ssh passwords too.

For more information

Read more about this at the ContactLog Blog

Please enter your credentials here:

[PrescriptionWarning]

What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.

Re:Please enter your credentials here:

[hotrodent]

Agreed, and heck, I'm a big Firefox advocate. But would you react the same way if the fault had been found in IE instead? A bug is a bug and needs to be fixed. Users will ALWAYS be users - that'll never change.

Re:Please enter your credentials here:

[Basje]

Because the realm is the identifying element of authentication. The username/password combo automaticly resent if the realm matches.

So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.

If another site mimics the exact realm, the username/password is sent to that site as well.

Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks

Re:Please enter your credentials here:

[Freeside1]

When you spill hot coffee on your gonads while driving, it's not your fault. It's McDonald's. Seems like nowadays personal accountability is dead, though I can't say I remember a time when it wasn't dead...

Re:Please enter your credentials here:

[tristian_was_here]

Yeah but a bug in IE means it will get fixed in the next service pack.

Re:Please enter your credentials here:

[X0563511]

Users will ALWAYS be users - that'll never change.

Oh, it will change. When the "users" have no money left and are all afraid to touch computers.

Re:Please enter your credentials here:

[totally+bogus+dude]

That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.

The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.

On the other hand, Basic authentication isn't widely used, so I guess most people wouldn't encounter ill effects of such a "feature", and most browsers only remember passwords based on the domain name anyway. The chances of anyone accessing a legitimate site that uses Basic authentication and then accessing an illegitimate site that happens to use the exact same realm name in the same browser session are pretty remote. Still, it seems a bit too simplistic for the modern web.

I've no idea how old that entry is, but I really do suspect it dates from earlier, simpler times. The server doesn't provide a Last-Modified header and I couldn't see a datestamp anywhere in the file.

Re:Please enter your credentials here:

[chrisv]

The realm is only half of the identifying element - the URL requesting authentication is the other half. For basic authentication (RFC 2617, section 2), the realm value is only for the server sending it; if another server (identified typically by [ http/https, hostname, port ]) sends me a WWW-Authenticate header with the same realm name specified, for the purposes of authentication it is a different realm. In digest authentication (section 3), it is possible to have credentials go across multiple servers, but such servers have to be specified in the initial WWW-Authenticate header in a "domain" parameter; otherwise, the authentication is again only available to the server sending the WWW-Authenticate header in the first place.

Ultimately, unless your system, DNS server, proxy server (if you're using one), gateway, or the target server, have been broken into, obtaining the credentials for any given realm is going to be difficult; if your system has been broken into, this is pointless because they could just as easily install a keylogger to capture the authentication information as it's being entered; if your gateway has been broken into, then unless you're performing all authenticated transactions over HTTPS and/or not using HTTP Basic authentication, the information is going across there in cleartext anyway, and tcpdump is all that's needed to extract it. Since the proxy server tends to exist at the gateway level anyway, the same issues apply there. As far as the target server goes - you can either capture the authentication info there, or, since you've got permissions to do anything the webserver is capable of, including generally accessing the authentication DB, just grab the authentication information and be done with it.

So... good luck at attempting to reuse the exact realm of another server - since, for the purposes of comparing authentication realms, the realm name is little more than a token which identifies a given protection space on a single server (or multiple explicitly specified servers in HTTP Digest, but that's still explicit).

Re:Please enter your credentials here:

[jon787]

Firefox does the sane thing and limits Realm to a hostname. Not sure about any other browser but we use HTTP Auth here and I've accidently switched from partial to fully-qualified domains and had it prompt me again.

Re:Please enter your credentials here:

[Bearhouse]

Indeed. Slightly offtopic, but the really bad thing is that eBay and Paypal do just this, (popup screens across sites). The first time I was asked to verify my Paypal details when trying to pay for something on eBay, I spent a long time noting the different pieces of info, then backed out and rechecked, before submitting any more sensitive info, (Paypal ID and CC numbers).

Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit the damn info already" habits...

No news

[El+Lobo]

A software is never safer than: * the number of people/resources trying to bring it down * Its popularity With the raise of both options, the number of found vulnerabilities will definitly increase.

Youtube video

[sucker_muts]

Youtube video mentioned in the article:

http://youtube.com/watch?v=NaCPw1s3GFw

pssst

If you post a message in slashdot containing your username in the first line, your password in the second and three blank lines below, "PWND" without the quotes in the subject line, and post it using Extrans you will get loads of karma. It worked for me.

Re:pssst

[zsouthboy]

All my passwords are hunter2 anyway.

Re:pssst

[pcgabe]

All your passwords are what? I just see a bunch of asterisks.

Re:pssst

[zsouthboy]

You can go hunter2 my hunter2-ing hunter2

[for those that have no idea what we're talking about: http://bash.org/?244321]

Re:pssst

[Akzo]

I don't know who you are, but stop posting my password all over the internet!

Re:pssst

[OverlordQ]

It loses all humor if you have to explain the joke.

SLASHDOT CENSORSHIP: 1984 IS HERE!!!

Slashdot is deleting replies that it deems politically subversive, like this one!

Welcome to Totalitarianism in the 21st Century!

Fight the power!!!

Oh, let us mine furor!

The new Mitt Romney campaign ad is a total hoot:
http://www.youtube.com/watch?v=Af1OxkFOK18

Re:Oh, let us mine furor!

Looks somehow...different...botox?

Re:Oh, let us mine furor!

Probably shopping smart: "S" Mart!

Trawling for Trolls....

[PortHaven]

OMG...

What's this mean for all those who's answer to vulnerability was to block Flash and use Firefox!!!

Re:Trawling for Trolls....

[mhall119]

It means don't give your f*ing password out to people who come to you. I have a password on my bank account, and whenever I go to my bank I have to give them my password, but I would never _ever_ give my password if someone from my bank contacted me (which actually happened once).

Re:Trawling for Trolls....

[smooth+wombat]

What's this mean for all those who's answer to vulnerability was to block Flash and use Firefox!!!

Go back to using IE?

Re:Trawling for Trolls....

[PortHaven]

Pen & Paper all the way!!!

The best RPGs were ALWAYS "pen & paper" (well, pencil actually) ;-)

Re:Trawling for Trolls....

[PortHaven]

I like the new method that my banks been using. Even for counter deposits they still have you swipe your ATM card. You don't have too, but it's an extra check point.

My thoughts...

"There will always be vulnerabilities, the greatest risk will always remain the user."

I remember when my machine got infected with the "I love you" virus. I sat there arguing with two of our network engineers that it was a virus. They were like "No, it came from the owner's son." I kept saying, "Something's wrong...".

They're like "Just click it"...

*boomf*

User error,...my error was finally caving in to two people who had far more degrees, certificates, etc. than I a mere community college intern had...

I've learned the error of my ways. "Degrees, certificates, etc = jack when compared to common sense."

Re:Trawling for Trolls....

[Verte]

FTFA:

In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal. Don't allow untrusted sites to run Javascript, of course. This exploit needs scripts enabled in order to post back.

Who pays attention to realm, anyway?

[samjam]

Who pays attention to realm, anyway?

I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.

Sam

Re:Who pays attention to realm, anyway?

[IBBoard]

Exactly what I was thinking. I've not encountered many of those type of dialogs (so few that I can't remember the last time I did) but if you look at his example then it still says "at http://avia..../" (or whatever his domain was) at the end.

Based on the comparison page that someone posted it isn't so much a vulnerability as just bad formatting that doesn't make things as clear as it could do. If you look at the bit that says "it is from this domain" then you still get the same old (and correct) information.

Re:Who pays attention to realm, anyway?

[OverlordQ]

Who pays attention to realm, anyway?

Um, that's the point, the browser window was pointing at google checkout, but if you look at the realm at the end, it's '@ avivra.com'

So if you followed your advice, you would have just given up your information.

Just wondering

[mariuszbi]

AFAIK the passwords sent like this are still plain text, no encryption whatsoever. So the question rises : What site still uses this kind of primitive login?! No commercial sites, I guess. Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form.

More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the only good bug is a dead one.

Re:Just wondering

[Auz]

"Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form."

Well, the more savvy users probably. I can think of several members of my family would probably assume the bank or whatever had just changed a few things.

Re:Just wondering

I didn't read the article but there is basic (non encrytped) and digest (encrypted) oh, and NTLM (also encrypted). Why would this only apply to basic.

Re:Just wondering

[KingMotley]

It's only unencrypted if you are doing it over HTTP. Switch to HTTPS and it's encrypted. Or use digest, or NTLM security.

Re:Just wondering

[Todd+Knarr]

It's only unencrypted if you're doing Basic authentication. HTTP also defines Digest authentication, in which the password is never sent at all, only a digest to prove to the server that the client knows the password.

Re:Just wondering

[RAMMS+EIN]

Slashdot uses plain text authentication. So does security.nl. And lots of other sites. It's embarassing, really.

Re:Just wondering

[Mr.+Slippery]

AFAIK the passwords sent like this are still plain text, no encryption whatsoever.

Not if you're using HTTPS.

Fundamentally, it's no more or less secure than setting a password in a browser cookie.

PWND

[mpathetiq]

your username
your password

Re:PWND

Username: Enoxice

Password:
 
...wait a minute, something seems fishy with this login page...

Re:PWND

[mpathetiq]

It must have worked, I've got Excellent Karma!

How different browsers handle this

[amolapacificapaloma]

A spanish website with screenshoots of how this is handled by IE6, Firefox, Opera and Konqueror: http://www.kriptopolis.org/falsificando-dialogos-firefox

WHAT!?

What..!? Passwords aren't secure... :-0 ! Who'd have thunk it...

In other news, Slashdot memes are old, and Anonymous Cowards never get comments approved... ...

Wow

[peipas]

What a coincidence that the security researcher's last name is the same as the browser he is testing!

Re:Wow

[tepples]

What a coincidence that the security researcher's last name is the same as the browser he is testing! I see one instance of "Aviv Raff" and two instances of "Mr. Raff" in the summary. Could you explain what you mean by this?

Re:Wow

[mhall119]

According to Mr. Raff Firefox fails to sanitize... Read like "Mr. Raff Firefox", because of a missing comma. Should be:

According to Mr. Raff, Firefox fails to sanitize...

Re:Wow

[peipas]

Mr. Raff Firefox. Calling him Mr. Raff made me chuckle, like Mr. Ed or Mr. Larry. Not quite sure on the Aviv prefix, other than an ear of corn in the spring. Maybe it means he's a farmer/researcher.

Re:Wow

[TheAngryIntern]

ummm, his name is Aviv Raff, not Raff Firefox.......

Not to get too technical, but...

[thegnu]

I wonder how many bugs have not been discovered yet.

All of them. No wait, let me check...

Yep, all of them!

Re:Not to get too technical, but...

[Wanado]

All of them. Check again. Ever been involved in a project that has bug lists? I'm guessing not. There are many bugs that have been discovered yet remain bugs in the product. It takes time to fix bugs. Some projects are large and bugs aren't instantly corrected the moment they are discovered. They're not all simple typos. Even once a solution has been determined, it may still take even more time to implement the solution. Then even when they're fixed, the bug usually remains in that software version while a new version is rolled out with fixes, so you may want to be aware of existing bugs in the software version that you use.

Re:Not to get too technical, but...

[blackjackshellac]

Reminds me of this joke,

We were traveling by plane at half the speed of smell and got passed by a kite.
Then one of the two engines failed. And the guy sitting next to me went nuts
and asked how far the other engine would take us. All the way to the scene of the
crash, I told him. But we'll beat the paramedics by 35 minutes.
-- Ron White

Re:Not to get too technical, but...

Back when Mozliia was called Netscape, they had a "find a bug, get a free T-Shirt" promo; I sent a few of the 100+ bugs I'd found, with an offer to send the rest. Instead of a T-Shirt, I got a lawsuit from the wankers, and they never asked for the rest. You read that right - I got a letter from their lawyers for entering their own competition.

Go look at the source code. The product's a complete mess written by countless newbies "without a clue", and maintined by unpaid/unemployed volunteers with no background in security, and no security background checks.

How many bugs do *you* think are left in there?

Re:Not to get too technical, but...

[mqduck]

I think you're probably a troll (if not flamebaiting), but I still have to ask: What did the lawsuit say you did that was illegal?

Re:Not to get too technical, but...

[thegnu]

Check again, I think you missed a shitty joke.

Sorry, but I'm calling BS

I'm having a hard time calling this a *bug*. I would rather call it a presentation problem.

Then again, what's the problem?

The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.

Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/".

So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.

Just my 2 AC cents (too lazy to create an account for just that)

Re:Sorry, but I'm calling BS

[stony3k]

Mod parent up. This is exactly what the fault is. Firefox needs to present the details better, that's all.

Re:Sorry, but I'm calling BS

[Todd+Knarr]

Agreed. Banning spaces in the realm would violate the RFCs and make descriptive realms (eg. "Google Checkout") less feasible. I simply remember that the authentication dialog format isn't under the control of the site, which means that the URL at the end is the URL (technically a prefix) the username and password will be used by. If I see something like his example that appears to imply otherwise, it means the site's trying to play games and I should ignore the implication and trust my browser: the URL at the end is the URL of the site, it's got "at" just before it, and everything from that "at" back to "password for" is the realm specified.

A better presentation would be two lines:
Realm: realm string
URL: url prefix string
That'd make it impossible to confuse the two.

Apparently, a fix is already out

You can get it here

Pffffft yeah right

[marsvin]

I'll just stop logging in on web sites until they fix this gaping security hole. Right.

Denial is the best option

As with all FOSS, the first course of action needs to be very vocal denials. It's always worked in the past... after all, would anyone be using Firefox if we were honest from the start about all the gaping security holes, buffer overflows, and the over 300 memory leaks? Not likely, especially since IE7 is both more stable and secure... and most people already have it on their computers! Also, now IE8 is coming down the pipe, we won't be able to use the "itz notz teh stadtards komplient!!11!!1!" whine. IE8 could very well be the final nail in our coffin... unless we keep lying and spinning to increase Firefox's market share (or at least not lose too much).

So really, we have to deny early and often. And hey, this is FOSS: fixing problems is really secondary. If they don't like it, let them go buy something, the cheap bastages. You get what you pay for.

Re:Denial is the best option

[joeytmann]

I am wondering why this is modded funny? i'd almost go with insightful. but i am really surpised this isn't a troll or flamebait.

Re:Denial is the best option

Congratulations, you're an ideological carbon copy of the open-source jihadists you're so ineptly trying to mock.

FF1.5

[roman_mir]

I am still with 1.5, it's a memory hog and doesn't do everything that the latest version does and I am not even sure that it doesn't have the same vulnerability, but I am just not interested in FF2 and/or FF3 for now. The versions switch too fast all in the name of more functionality but the basic security and memory questions are still unanswered.

Here is the real question: How do you really know that your browser is safe at all? You can download the code and read it, but I believe it is not just about code, but mostly it is about the design. I am thinking a browser should allow me to have some sort of an instrumentation bar, where the information pertaining to security/memory/cpu usage is displayed in useful form. Something like a debug window for communications and various internal functions (extensions / plugins) that shows details of what is happening. I know this is not useful for a normal user, but if this was an option, then the powerusers could monitor the activity of their browser while using it and the vulnerabilities could be found faster. A poweruser could then mark something that is happening in the browser as suspicious and this info could be loaded into the developer site. If the same behaviour is marked as suspicious multiple times, it should then get a priority review.

This could be used to detect problems by more people than are interested in looking at the source code.

Re:FF1.5

[dvice_null]

> Here is the real question: How do you really know that your browser is safe at all?

Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.

That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.

Re:FF1.5

[roman_mir]

My browser has no plugins, no flash, the js is disabled. I use it only for reading text basically, so it doesn't matter much which version it is.

Re:FF1.5

[IAmGarethAdams]

The real question is, if that was how it worked, how do you know that the plugin reporting the security information, number of connections, phone-home indicator etc are all telling the truth and not covering up some other kind of reporting?

I'm actually starting to think that my tinfoil hat is letting through some mind-altering brainrays which are convincing me that my tinfoil hat is working fine! How's that for a headfuck?!

Re:FF1.5

[roman_mir]

True, but that's where the design really has to be refined to the point of being proven mathematically. It has to be proven that the reporting is done in a way, which prevents spoofing from happenning no matter what.

Re:FF1.5

[murdocj]

Here's a better one: the CIA wants you to wear tinfoil hats because such hats act as an antenna to focus mind-control rays on your head, so they started the rumor that tinfoil hats protect you.

Re:FF1.5

Your logic confounds me on so many levels

Re:FF1.5

[BenoitRen]

A new version once a year is too often for you?!

Re:FF1.5

[jesser]

Some browser vulnerabilities can be exploited without plugins or JavaScript, so even if you have those disabled, you'll be safer if you update to a current version.

Still safe for me

[LagosPortugal.info]

I always use my own bookmarks or type the url of the site i wish to visit & of course I never save any user/passwords in my browsers, I always reccomend to my clients to use password storage software to save passwords never the browser & always use bookmarks, theres so many dogey sites out there now, sometimes i find my clients are afriad to click links on sites after i inform them of all the nastyness out there. just my 2 cents worth.

Injection Vulnerabilities

[RAMMS+EIN]

Sometimes, injection vulnerabilities make me laugh. I mean, how difficult can it be to just put a string in another string?

Not very difficult, obviously.

And, honestly, it _isn't_ very difficult. It's only when you then go and interpret the resulting string as code that weird things start to happen. The solution is simple: don't treat strings as code. In Lisp, for example, the more natural way to compose the code would be to use list construction instead of string concatenation. That way, you can put whatever you want in the string, but it will never be excuted as code.

But then, of course, everybody loathes Lisp. And smug Lisp weenies. So I'll get modded down. On the other hand, I said I would get modded down, so I'll probably get modded up.

Re:Injection Vulnerabilities

[cnettel]

This is not an injection bug per se, but more a string parsing bug. Parsing needs to be done as long as not all content is implicitly structured. One point in using XML for anything is to avoid doing any parsing on your own. But, think about it, would you like an e-mail address, URL or file path to be a structued list or XML snippet? And could we be sure that the structure is always the right one, so there will be no need to flatten it and reparse it and get into the same old bugs?

Finite state machines with more than a handful of states are hard (whether implemented explicitly or implicitly). They are harder for some people. We can try to make sure that the reinventing-the-wheel need is limited, but it's oh so surprising how often you want something that's only a bit different (or you find the standard interface to be so clunky that you roll your own *guilty smile*).

Re:Injection Vulnerabilities

[GuldKalle]

Damn, i'm confused now. I guess the only right choice would be to reply to your post.

Re:Injection Vulnerabilities

[RAMMS+EIN]

``This is not an injection bug per se, but more a string parsing bug.''

By "injection vulnerability", I mean and understand "a possibility to 'break out' of a certain datum and thus inject (part of) it into the surrounding data structure, where this is not desired". Is that not what is happening here?

``Parsing needs to be done as long as not all content is implicitly structured. One point in using XML for anything is to avoid doing any parsing on your own. But, think about it, would you like an e-mail address, URL or file path to be a structued list or XML snippet? And could we be sure that the structure is always the right one, so there will be no need to flatten it and reparse it and get into the same old bugs?''

I am not going to answer that, because it is beside the point. XML is parsed, too. What I meant in my original post is that you can create and pass everything in data structures, rather than marshalling and unmarshalling it.

If you _do_ marshal and unmarshal your data structures, of course it makes sense to do so using a robust marshaller and unmarshaller. And a proper API. If, in PHP, you do "SELECT FROM Table WHERE field = $value", you're asking for trouble. Of course, what Firefox does is going to be different at least in the language they use, but the principle along which all these vulnerabilities come in existence is the same: composing data in a way that doesn't preserve structure, and then assuming the structure has been preserved.

Some much more informative links

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

and

http://www.kriptopolis.org/falsificando-dialogos-firefox (Spanish)

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

what power?

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

[PatrickThomson]

The power of voodoo, duh.

nazi 'spoofing' of inf. puts all of US at risk

the 'problems' as presented by the 'mainstream' mediahhaha, are homeowners, banks, energy consumption/waste, & now declining employment. none of this connects to the billions per day of maintaining the 'wars', & fudging the weather?

we know there's been a huge cost of life & limb. the rest of it must be 'on the house'.

of course there's some notion that numerous billionerrors are profiting handsomely, no mention of that debacle either.

talk about being bushwhacked, & kept in the dark?

if thinking about such things frustrates you, you might consider signing up for fuddle's patentdead anti-frustration devise, or just continue following the corepirate nazi hypenosys story LIEn. anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile;

http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE

http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestat

Not Till....

[pentalive]

No, the bug in IE will get fixed in the service pack that comes after Microsoft finds and acknowledges the bug.

Payment processors?

[tepples]

However, there are certain things that people just shouldn't do. Taking the time to read and respond to all the spam they get, for example. Following links to trusted sites is another one. Even if the trusted site is a payment processor such as PayPal, Google, or Amazon, and the link comes from an online store where the user is trying to complete a purchase?

Re:Payment processors?

By you typing it in. More secure that way.

Re:Payment processors?

[SnowZero]

While I can see your point, I don't think it's a good idea to buy something from an online store that you don't trust. Pay the extra ~3% and go to a store that people have heard of.

Re:Payment processors?

[tepples]

I don't think it's a good idea to buy something from an online store that you don't trust. Pay the extra ~3% and go to a store that people have heard of. Unless you're looking for obscure stuff like Nintendo DS accessories that don't carry Nintendo's seal, such as the R4 card for running Colors! and DSOrganize. In that case, Amazon, eBay, major click-and-mortar retail chains, and the like will often not carry it.

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

The power of voodoo, duh.

Who do?

Payment processors?

[tepples]

I always use my own bookmarks or type the url of the site i wish to visit Say you're trying to buy something online. One typical use case is the following:

1. The seller's web site directs the buyer to a third-party payment processor such as PayPal, WorldPay, Amazon, or Google. Seller gives the seller's identity, a summary of the order, and an amount to the payment processor, and redirects the buyer to the payment processor.
2. The buyer authenticates to the payment processor, commonly using a password over TLS.
3. The buyer inspects the seller's identity claims, the order summary, and the amount, and approves the payment.
4. The payment processor deducts the amount from the buyer's account, adds it to the seller's account, notifies the seller of the order number and the amount paid, and presents a receipt to the buyer.
5. Buyer is redirected to the seller's web site.

If you always use a bookmark to https://www.paypal.com/ to visit PayPal, how will PayPal know the seller, the order number, or the amount?

Patch available for download...

... in 3 .... 2 ....

You mean Paypal didn't switch to basic auth?

[wsanders]

Rats, I thought something was fishy, them ditching SSL and all.

Don't laugh, Datek (now Ameritrade) used basic HTTP auth until about 2001 or so. Yikes!

Re:You mean Paypal didn't switch to basic auth?

Give a man a fish and you have fed him for today. Teach a man to fish, and he'll be gone all day.

There, fixed that for you.

While they're at it

Maybe add a warning to the basic authentication dialog box that the username/password is send unencrypted (base-64 encoded).

Oh no!

Oh no, the Israeli's are stealing our passwords! Quick, someone tell Dear Leader so he can launch a pre-emptive strike.

Crap links

[MillionthMonkey]

I hate when I click on a goatse.cx link and it turns out to be a crap link that loads an ad-infested page on the same site that you're on:

[banner]
[popup]
[banner]
SHOP for assholes!
RATE your asshole!
RECOMMEND your asshole to friends!
Read REVIEWS of assholes!
FIND assholes in your area!
COMPARE PRICES for assholes!
Find DEFINITIONS and SYNONYMS for asshole!
100%-free asshole SCREEN SAVERS!
[banner]
[banner]
Sponsored Links:
Looking for FREE ASSHOLES in your area? Click HERE
Assholes repaired at low prices, 100% safe, guaranteed
Need credit? Pull equity out of your asshole today!
[banner]
[popunder]

And you, Wikipedia, you're another one- when I'm in a hurry, I'd like a visual hint that I might see this:

"This article is a stub. You assholes can help Wikipedia by expanding it."

Random Phishing Isn't the Real Problem With This.

[baboo_jackal]

The biggest factor that determines the likelihood for success of any attempt to defraud people is this: How similar is the fraudulent thing to the real thing? After reading TFA and watching the demonstration, this particular exploit would allow a person to modify the text content of an authentication dialog box to fool people into thinking it comes from a trusted source.

To be honest, I can't remember the last time a website I use for personal purposes required a browser authentication dialog for login (including banking, investing, buying stuff with my debit or credit card, etc.). I'm going to speculate wildly here, and assert that most secure logins for personal use occur in HTML forms, and that this exploit doesn't approximate the login activity of most websites, used my most people. Now, some people when confronted with this weird, never-before-seen login "thing" will give it their login and password, but others won't because either they're tech-savvy enough to realize that something's wrong, or because their untrained interweb-spidey-sense goes off. Point is, it's at least an individually-significant issue until the info gets out to enough people.

But the really dangerous potential of this exploit isn't to get somebody's bank login info, or PayPal, or Amazon, or eBay login, or whatever. Think about all the logins that *do* normally use a browser authentication dialog box, like corporate, government, and defense portal sites. This exploit actually more closely approximates a legitimate login identity challenge to systems that impact not just one person, but *lots* of people. Imagine that you're corporate-drone #637, and you've been working on a super-serial secret something-or-other and you get an email from "your IT folks" asking you to log in to the VPN. Oh, they also included a helpful link to do so, and oh, you also happen to be using Firefox.

I think that's the real problem with this exploit.

Use Opera

[cyofee]

Fastest, most secure and best features.

You might be.

[uhlume]

He's talking about the standard HTTP Auth dialog. (Good luck refusing to enter your password in any HTTP Auth dialogs -- it's still the most ubiquitous authentication mechanism on the Web.)

Re:You might be.

[trianglman]

I don't know what sites you go to, but there is only one website I ever see that prompt for, and that is an intranet website. It would be an issue if this could be used to get saved passwords more easily, which I haven't seen anything about yet, but that is easily prevented by using the secure login plug-in.

Have you seen it in action?

[igmuska]

Seen it already, but forgot the website...then I read about this interesting spoof. hahahahaha! Like I am going to put my password in some strange account, but the link that took me there was in a major trusted site.

Nothing to see here. Please move along.

[MillionthMonkey]

Firefox Password Manager fell victim to an attack in late 2006.

There, fixed the link (I hit Ctrl-V twice).

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

[Doctor-Optimal]

Uhhh, you do? (Duh?)

Not on Mac

[bill_mcgonigle]

Thanks for the useful link. It occurs to me that this would throw a flag for most Mac users, who are used to their dialogs descending down from the title bar of the window in an animated sheet. A webpage shouldn't be able to modify chrome, and thus a fully convincing exploit shouldn't be possible for Mac.

Score one for gratuitous eye candy as security feature.

Re:Not on Mac

[uhlume]

Except that isn't a faked Basic Auth dialog, it's a real dialog box (genuine chrome!) with a spoofed Realm. Watch more closely. There's absolutely no reason this wouldn't work on a Mac.

Re:Not on Mac

[bill_mcgonigle]

Oh, well then, forget what I said. I guess I should have RTFA instead of just watching the YouTube clip. :P

The vulnerability I was thinking of doesn't yet exist...

RFC2617

[datadigger]

Mod parent up!
Very insightful indeed. A gem in this forest of blahblah.
The Apache docs, though mostly sufficient for a decent httpd.conf, are not very helpful in discussion like this one.

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

Uhhh, you do? (Duh?)

Do what?

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

Do what?

your mom

Your tradeoff fails it

[tepples]

If you always use a bookmark to https://www.paypal.com/ [paypal.com] to visit PayPal, how will PayPal know the seller, the order number, or the amount? By you typing it in. More secure that way. There is always a tradeoff between security and convenience. The design that you propose is so inconvenient that it is unprofitable for any retailer to operate in this way.

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

your mum is a better fuck than your sister

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

[Macthorpe]

Do what? Remind me of the babe.

(I'm sorry Slashdot, I couldn't let this one go.)