Firefox Spoofing Bug Puts Passwords At Risk

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

An honest Security Bug

[pembo13]

Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.

Re:An honest Security Bug

[mhall119]

Look at the type of bugs, not just the number. One spoofing vulnerability does not compare to one remote code execution vulnerability.

It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.

Re:An honest Security Bug

[KlaymenDK]

I liked the paper/dynamite analogy way better. New, graphic, and even explosive. That's the kind of analogies we should promote! :-D

Show me the demo!!

[Prairiewest]

Too bad he doesn't want to show an online demo of this, I was kind of getting used to being able to try out these kinds of exploits in my own browser. Call me masochistic.

Re:Show me the demo!!

[Kijori]

Here it is: http://youtube.com/watch?v=NaCPw1s3GFw I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...

Phishing

[JCSoRocks]

Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

Please enter your credentials here:

[PrescriptionWarning]

What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.

Youtube video

[sucker_muts]

Youtube video mentioned in the article:

http://youtube.com/watch?v=NaCPw1s3GFw

Not to get too technical, but...

[thegnu]

I wonder how many bugs have not been discovered yet.

All of them. No wait, let me check...

Yep, all of them!

Re:Not to get too technical, but...

[blackjackshellac]

Reminds me of this joke,

We were traveling by plane at half the speed of smell and got passed by a kite.
Then one of the two engines failed. And the guy sitting next to me went nuts
and asked how far the other engine would take us. All the way to the scene of the
crash, I told him. But we'll beat the paramedics by 35 minutes.
-- Ron White

Re:pssst

[zsouthboy]

All my passwords are hunter2 anyway.