Firefox Spoofing Bug Puts Passwords At Risk

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

An honest Security Bug

[pembo13]

Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.

Re:An honest Security Bug

[mhall119]

Look at the type of bugs, not just the number. One spoofing vulnerability does not compare to one remote code execution vulnerability.

It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.

Re:An honest Security Bug

[snoyberg]

You have to listen to him, he made a car analogy. ... I'm just joking, it really was a good analogy.

Re:An honest Security Bug

[KlaymenDK]

I liked the paper/dynamite analogy way better. New, graphic, and even explosive. That's the kind of analogies we should promote! :-D

Show me the demo!!

[Prairiewest]

Too bad he doesn't want to show an online demo of this, I was kind of getting used to being able to try out these kinds of exploits in my own browser. Call me masochistic.

Re:Show me the demo!!

[gEvil+(beta)]

Well, he apparently has a demo video up on YouTube (hey, videos are better than nothing). Unfortunately, PCWorld would much rather give me links to searches on their own site instead of a USEFUL link to the actual video...

Re:Show me the demo!!

[Kijori]

Here it is: http://youtube.com/watch?v=NaCPw1s3GFw I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...

Re:Show me the demo!!

[MMC+Monster]

Especially when the sentence says that a link to the video is provided.

I'm certainly not following any other links from their site. I'd probably end up on goatse.cx or something.

Phishing

[JCSoRocks]

Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

Re:Phishing

[jlarocco]

But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.

Given that, they should fix this immediately.

Re:Phishing

[cheater512]

This only works on the actual HTTP authentication stuff, not web forms.
No mainstream site uses it so they'll probably get confused rather than enter in their password.

Re:Phishing

[fmobus]

And also because HTTP authentication dialogs are quite "spoofable" anyway. You can make a phony dialog, whose style matches the system you're targeting. Of course, you can't make it modal like the real one, but most users can't really tell the difference.

Just like the "lock" on older versions of Internet Explorer. People were taught to look for the "lock" icon on the status bar to assure they are safe. However, if the status bar is disabled (IIRC, it is the bloody DEFAULT), you could fake a status bar with a fake icon.

Fortunately, IE7 moved the icon to the location bar (a sensible approach, probably learned from OSS browsers like firefox). But yeah, they still ship with a status bar that can be disabled. Go figure.

Please enter your credentials here:

[PrescriptionWarning]

What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.

Re:Please enter your credentials here:

[hotrodent]

Agreed, and heck, I'm a big Firefox advocate. But would you react the same way if the fault had been found in IE instead? A bug is a bug and needs to be fixed. Users will ALWAYS be users - that'll never change.

Re:Please enter your credentials here:

[Basje]

Because the realm is the identifying element of authentication. The username/password combo automaticly resent if the realm matches.

So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.

If another site mimics the exact realm, the username/password is sent to that site as well.

Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks

Re:Please enter your credentials here:

[totally+bogus+dude]

That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.

The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.

On the other hand, Basic authentication isn't widely used, so I guess most people wouldn't encounter ill effects of such a "feature", and most browsers only remember passwords based on the domain name anyway. The chances of anyone accessing a legitimate site that uses Basic authentication and then accessing an illegitimate site that happens to use the exact same realm name in the same browser session are pretty remote. Still, it seems a bit too simplistic for the modern web.

I've no idea how old that entry is, but I really do suspect it dates from earlier, simpler times. The server doesn't provide a Last-Modified header and I couldn't see a datestamp anywhere in the file.

Re:Please enter your credentials here:

[Bearhouse]

Indeed. Slightly offtopic, but the really bad thing is that eBay and Paypal do just this, (popup screens across sites). The first time I was asked to verify my Paypal details when trying to pay for something on eBay, I spent a long time noting the different pieces of info, then backed out and rechecked, before submitting any more sensitive info, (Paypal ID and CC numbers).

Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit the damn info already" habits...

Youtube video

[sucker_muts]

Youtube video mentioned in the article:

http://youtube.com/watch?v=NaCPw1s3GFw

Who pays attention to realm, anyway?

[samjam]

Who pays attention to realm, anyway?

I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.

Sam

Just wondering

[mariuszbi]

AFAIK the passwords sent like this are still plain text, no encryption whatsoever. So the question rises : What site still uses this kind of primitive login?! No commercial sites, I guess. Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form.

More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the only good bug is a dead one.

How different browsers handle this

[amolapacificapaloma]

A spanish website with screenshoots of how this is handled by IE6, Firefox, Opera and Konqueror: http://www.kriptopolis.org/falsificando-dialogos-firefox

Re:PWND

[mpathetiq]

It must have worked, I've got Excellent Karma!

Not to get too technical, but...

[thegnu]

I wonder how many bugs have not been discovered yet.

All of them. No wait, let me check...

Yep, all of them!

Re:Not to get too technical, but...

[blackjackshellac]

Reminds me of this joke,

We were traveling by plane at half the speed of smell and got passed by a kite.
Then one of the two engines failed. And the guy sitting next to me went nuts
and asked how far the other engine would take us. All the way to the scene of the
crash, I told him. But we'll beat the paramedics by 35 minutes.
-- Ron White

Sorry, but I'm calling BS

I'm having a hard time calling this a *bug*. I would rather call it a presentation problem.

Then again, what's the problem?

The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.

Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/".

So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.

Just my 2 AC cents (too lazy to create an account for just that)

Denial is the best option

As with all FOSS, the first course of action needs to be very vocal denials. It's always worked in the past... after all, would anyone be using Firefox if we were honest from the start about all the gaping security holes, buffer overflows, and the over 300 memory leaks? Not likely, especially since IE7 is both more stable and secure... and most people already have it on their computers! Also, now IE8 is coming down the pipe, we won't be able to use the "itz notz teh stadtards komplient!!11!!1!" whine. IE8 could very well be the final nail in our coffin... unless we keep lying and spinning to increase Firefox's market share (or at least not lose too much).

So really, we have to deny early and often. And hey, this is FOSS: fixing problems is really secondary. If they don't like it, let them go buy something, the cheap bastages. You get what you pay for.

Some much more informative links

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

and

http://www.kriptopolis.org/falsificando-dialogos-firefox (Spanish)

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

[PatrickThomson]

The power of voodoo, duh.

Re:FF1.5

[dvice_null]

> Here is the real question: How do you really know that your browser is safe at all?

Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.

That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.

Re:pssst

[zsouthboy]

All my passwords are hunter2 anyway.

Re:pssst

[pcgabe]

All your passwords are what? I just see a bunch of asterisks.