Spoofing vulnerability in Firefox
Israeli security specialist Aviv Raff has described how a vulnerability in the method used by Firefox to display authentication dialogs can allow phishers to obtain username and password information. Basic authentication is used to restrict access to a website by requesting a user name and password. Next to the name of the remote instance, the Realm, the authentication dialog box also displays information about the web server that has issued the authentification request. It seems that Firefox is rather slipshod in the way it displays the Realm. Raff claims that anyone can use single quotes and spaces to construct a dialog that will trick users into believing they are viewing a trusted site, even though the dialog actually originates from a phishing site.
Raff has made a video (WMV file) available on his website that demonstrates the problem. For an attack to be successful, the victim must click on a specially crafted link on a malicious website. But it is not at all obvious to the user that an attack is taking place. For example, an apparently harmless MySpace page that appears to connect to an Amazon book wish list could trick the user into believing a bogus login dialog originating from a malicious server is genuine. The altered login procedure should, however, make the user suspicious that something may be amiss.
The report says that the vulnerability affects Mozilla Firefox v18.104.22.168 and probably earlier versions. Other Mozilla Foundation products may also be affected. There is no update at this time. Raff, who recently discovered a security problem in the Google Toolbar, recommends that users do not provide username and password information to sites showing the dialog.
- Yet another Dialog Spoofing - Firefox Basic Authentication, security advisory by Aviv Raff