Forgot your password?
typodupeerror
Mozilla Security The Internet

Firefox Spoofing Bug Puts Passwords At Risk 157

Posted by Zonk
from the please-keep-the-fox-in-the-pen dept.
hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"
This discussion has been archived. No new comments can be posted.

Firefox Spoofing Bug Puts Passwords At Risk

Comments Filter:
  • by pembo13 (770295) on Friday January 04, 2008 @10:56AM (#21909112) Homepage
    Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.
    • by Anonymous Coward
      As with all FOSS, the first course of action needs to be very vocal denials. It's always worked in the past... after all, would anyone be using Firefox if we were honest from the start about all the gaping security holes, buffer overflows, and the over 300 memory leaks? Not likely, especially since IE7 is both more stable and secure... and most people already have it on their computers! Also, now IE8 is coming down the pipe, we won't be able to use the "itz notz teh stadtards komplient!!11!!1!" whine. I
    • by Blakey Rat (99501)
      Would be nice if there was a screenshot of what this mysterious "realm" dialog box looks like. I can't be the only person who has no clue what he's talking about, can I?
      • He's talking about the standard HTTP Auth [google.com] dialog. (Good luck refusing to enter your password in any HTTP Auth dialogs -- it's still the most ubiquitous authentication mechanism on the Web.)
        • I don't know what sites you go to, but there is only one website I ever see that prompt for, and that is an intranet website. It would be an issue if this could be used to get saved passwords more easily, which I haven't seen anything about yet, but that is easily prevented by using the secure login plug-in [mozilla.org].
    • by xero314 (722674)
      This is both old news and a very week exploit. The fact that firefox is built with XUL which it can also render has made it vulnerable to these exploits since day one. There are already examples out there of "Web Sites" (XUL applications) that can cause a pop up window that look and work just like a new browser windows except that they can filter the content entered into any field in the browser or other site to any where else fro tracking and stealing of information.
  • by Prairiewest (719875) on Friday January 04, 2008 @10:58AM (#21909142) Homepage
    Too bad he doesn't want to show an online demo of this, I was kind of getting used to being able to try out these kinds of exploits in my own browser. Call me masochistic.
  • Phishing (Score:5, Insightful)

    by JCSoRocks (1142053) on Friday January 04, 2008 @10:58AM (#21909146)
    Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.
    • Re:Phishing (Score:4, Insightful)

      by jlarocco (851450) on Friday January 04, 2008 @11:06AM (#21909228) Homepage

      But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

      Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.

      Given that, they should fix this immediately.

      • Re: (Score:1, Troll)

        by somersault (912633)
        The kind of person that falls for phishing is screwed in life anyway. Firefox 'zealots' simply recommend an easily-better-than-IE browser to their friends and associates, and a lot of them will just happen to be people with no common sense.
        • by B3ryllium (571199)
          They're taking advice from nerds. If this doesn't show a lack of common sense, I don't know what does.

          (Sticking a tie in an electric hand mixer - while wearing the tie - runs a close second)
          • I dunno, if the RIAA took advice from nerds and embraced digital downloads rather than fighting tooth and nail against them, then they'd be doing a lot better for themselves.
          • Taking advice from nerds on topics in which the nerds are experts shows a great deal of common sense.

            Taking advice from nerds (or anyone else) on topics in which they are not experts is the problem. That's why I have a problem with politics because most of the things being advised by politicians are being advised by people who have little or no expertise in the subject at hand. Seeking foreign policy advice from Senator Obama or Governor Huckabee, for instance, shows a lack of common sense. Seeking advic
      • FireFox is definitely marketed as being more secure. However, there are certain things that people just shouldn't do. Taking the time to read and respond to all the spam they get, for example. Following links to trusted sites is another one. Do you download gobs of awesome free screen savers and clocks and smiley face making programs? no. Why? because you know they're full of crapware. Same thing.

        I said that it should be patched in my original post, but my point was that this is just a way to do a phishi
        • However, there are certain things that people just shouldn't do. Taking the time to read and respond to all the spam they get, for example. Following links to trusted sites is another one.
          Even if the trusted site is a payment processor such as PayPal, Google, or Amazon, and the link comes from an online store where the user is trying to complete a purchase?
          • by SnowZero (92219)
            While I can see your point, I don't think it's a good idea to buy something from an online store that you don't trust. Pay the extra ~3% and go to a store that people have heard of.
    • It has nothing to do with forms-based login pages like GMail or banks use. It has to do with the 'basic auth' dialog like what gets presented to you when you login to your average LinkSys router or the 'control panel' applications that many shared hosting providers use like 'CPanel'.

      And such attacks could be used in combination with stuff like DNS spoofing -- take over your ISPs DNS server and myhostingprovider.com goes where the h4x0r wants it to go.
    • Re: (Score:3, Informative)

      by cheater512 (783349)
      This only works on the actual HTTP authentication stuff, not web forms.
      No mainstream site uses it so they'll probably get confused rather than enter in their password.
      • Re: (Score:3, Interesting)

        by fmobus (831767)

        And also because HTTP authentication dialogs are quite "spoofable" anyway. You can make a phony dialog, whose style matches the system you're targeting. Of course, you can't make it modal like the real one, but most users can't really tell the difference.

        Just like the "lock" on older versions of Internet Explorer. People were taught to look for the "lock" icon on the status bar to assure they are safe. However, if the status bar is disabled (IIRC, it is the bloody DEFAULT), you could fake a status bar wit

        • by Burz (138833)
          Yes, and the status bar is important for checking a link's URL before clicking on it.
        • > And also because HTTP authentication dialogs are quite "spoofable" anyway.

          This reminds me of something I've been meaning to investigate for a while now.

          If you use Firefox to store your passwords for various sites using its password manager, you have the option of setting a "Master Password" - a password that is used to encrypt your stored passwords on disk as a security precaution. Each time you start an instance of firefox, if you browse to a site for which you have a stored password, firefox will ask
          • by fmobus (831767)
            Well, a website could fake this, but the attacker would still need access to the cyphertext containing the other passwords to do something useful. Presumably, this requires filesystem access on computer running that browser (either physically or remotely) and that alone is a much more serious problem. With file system access, one could perform evil instrumentation in a variety of points: replacing firefox executable, replacing DNS entries, or even keylogging.
          • How hard would it be to fake this security dialogue?

            Probably easy, with a float. But you can tell half the time because the guys who write these things can't seem to get through a sentence like "Please enter the master password for the Software Security Device" without misspelling at least three words. And they would make it look like an IE dialog. (I'm either using FF or Safari and I get fake IE dialogs all the time.)

            Firefox Password Manager fell victim to an attack in late 2006. [slashdot.org] Its mistake was based on t
        • by hackstraw (262471)

          It pisses me off that my bank recently moved its login page to a https page.

          My bank!!!

          I phoned them and complained, and they said it was no big deal.

          Well, its on an https page now.

          I'm thinking that their logic is that the browser warns the user (usually once, then they turn it off) that they are sending information via a nonsecure page if the handler is not an https server. Call me paranoid, but I want my login page encrypted.

    • Rats, I thought something was fishy, them ditching SSL and all.

      Don't laugh, Datek (now Ameritrade) used basic HTTP auth until about 2001 or so. Yikes!
    • by bl8n8r (649187)
      > If I want to go to gmail, my bank, whatever,
      > I'm definitely not going to follow a link from some random website or e-mail.

      The bigger picture is coupled with XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) or a writeable web root*, you could be redirected without even knowing it. Malware could also drop a local web page on your computer and redirect you there to offer up the exploit. How about when you purchase things on Ebay and click "Continue to my PayPal account". For every person like
  • by PrescriptionWarning (932687) on Friday January 04, 2008 @11:01AM (#21909176)
    What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.
    • Re: (Score:2, Insightful)

      by hotrodent (1017236)
      Agreed, and heck, I'm a big Firefox advocate. But would you react the same way if the fault had been found in IE instead? A bug is a bug and needs to be fixed. Users will ALWAYS be users - that'll never change.
    • Re: (Score:3, Informative)

      by Basje (26968)
      Because the realm is the identifying element of authentication. The username/password combo automaticly resent if the realm matches.

      So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.

      If another site mimics the exact realm, the username/password is sent to that site as well.

      Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks [apache.org]
      • Re: (Score:3, Informative)

        That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.

        The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.

        On the other hand, Basic authentication isn't widely used, so I guess m

        • by jon787 (512497)
          Firefox does the sane thing and limits Realm to a hostname. Not sure about any other browser but we use HTTP Auth here and I've accidently switched from partial to fully-qualified domains and had it prompt me again.
      • by chrisv (12054)

        The realm is only half of the identifying element - the URL requesting authentication is the other half. For basic authentication (RFC 2617 [ietf.org], section 2), the realm value is only for the server sending it; if another server (identified typically by [ http/https, hostname, port ]) sends me a WWW-Authenticate header with the same realm name specified, for the purposes of authentication it is a different realm. In digest authentication (section 3), it is possible to have credentials go across multiple servers,

    • Re: (Score:3, Insightful)

      by Bearhouse (1034238)
      Indeed. Slightly offtopic, but the really bad thing is that eBay and Paypal do just this, (popup screens across sites). The first time I was asked to verify my Paypal details when trying to pay for something on eBay, I spent a long time noting the different pieces of info, then backed out and rechecked, before submitting any more sensitive info, (Paypal ID and CC numbers).

      Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit th
  • Youtube video (Score:5, Informative)

    by sucker_muts (776572) <[moc.liamtoh] [ta] [nvp_rekcus]> on Friday January 04, 2008 @11:03AM (#21909210) Homepage Journal
    Youtube video mentioned in the article:

    http://youtube.com/watch?v=NaCPw1s3GFw [youtube.com]

     
    • Thanks for the useful link. It occurs to me that this would throw a flag for most Mac users, who are used to their dialogs descending down from the title bar of the window in an animated sheet. A webpage shouldn't be able to modify chrome, and thus a fully convincing exploit shouldn't be possible for Mac.

      Score one for gratuitous eye candy as security feature.
      • by uhlume (597871)
        Except that isn't a faked Basic Auth dialog, it's a real dialog box (genuine chrome!) with a spoofed Realm. Watch more closely. There's absolutely no reason this wouldn't work on a Mac.
        • Oh, well then, forget what I said. I guess I should have RTFA instead of just watching the YouTube clip. :P

          The vulnerability I was thinking of doesn't yet exist...
  • pssst (Score:1, Funny)

    by Anonymous Coward
    If you post a message in slashdot containing your username in the first line, your password in the second and three blank lines below, "PWND" without the quotes in the subject line, and post it using Extrans you will get loads of karma. It worked for me.
  • OMG...

    What's this mean for all those who's answer to vulnerability was to block Flash and use Firefox!!!

    • by mhall119 (1035984)
      It means don't give your f*ing password out to people who come to you. I have a password on my bank account, and whenever I go to my bank I have to give them my password, but I would never _ever_ give my password if someone from my bank contacted me (which actually happened once).
      • by PortHaven (242123)
        I like the new method that my banks been using. Even for counter deposits they still have you swipe your ATM card. You don't have too, but it's an extra check point.

        My thoughts...

        "There will always be vulnerabilities, the greatest risk will always remain the user."

        I remember when my machine got infected with the "I love you" virus. I sat there arguing with two of our network engineers that it was a virus. They were like "No, it came from the owner's son." I kept saying, "Something's wrong...".

        They're like
    • What's this mean for all those who's answer to vulnerability was to block Flash and use Firefox!!!


      Go back to using IE?

      • by PortHaven (242123)
        Pen & Paper all the way!!!

        The best RPGs were ALWAYS "pen & paper" (well, pencil actually) ;-)
    • by Verte (1053342)
      FTFA:

      In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.
      Don't allow untrusted sites to run Javascript, of course. This exploit needs scripts enabled in order to post back.
  • by samjam (256347) on Friday January 04, 2008 @11:12AM (#21909304) Homepage Journal
    Who pays attention to realm, anyway?

    I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.

    Sam
    • by IBBoard (1128019)
      Exactly what I was thinking. I've not encountered many of those type of dialogs (so few that I can't remember the last time I did) but if you look at his example then it still says "at http://avia..../ [avia....]" (or whatever his domain was) at the end.

      Based on the comparison page [kriptopolis.org] that someone posted it isn't so much a vulnerability as just bad formatting that doesn't make things as clear as it could do. If you look at the bit that says "it is from this domain" then you still get the same old (and correct) informatio
    • by OverlordQ (264228)
      Who pays attention to realm, anyway?

      Um, that's the point, the browser window was pointing at google checkout, but if you look at the realm at the end, it's '@ avivra.com'

      So if you followed your advice, you would have just given up your information.
  • Just wondering (Score:2, Insightful)

    by mariuszbi (1113049)
    AFAIK the passwords sent like this are still plain text, no encryption whatsoever. So the question rises : What site still uses this kind of primitive login?! No commercial sites, I guess. Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form.

    More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the

    • by Auz (50055)
      "Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form."

      Well, the more savvy users probably. I can think of several members of my family would probably assume the bank or whatever had just changed a few things.
    • by Todd Knarr (15451)

      It's only unencrypted if you're doing Basic authentication. HTTP also defines Digest authentication, in which the password is never sent at all, only a digest to prove to the server that the client knows the password.

    • by RAMMS+EIN (578166)
      Slashdot uses plain text authentication. So does security.nl. And lots of other sites. It's embarassing, really.
  • A spanish website with screenshoots of how this is handled by IE6, Firefox, Opera and Konqueror: http://www.kriptopolis.org/falsificando-dialogos-firefox [kriptopolis.org]
  • by peipas (809350)
    What a coincidence that the security researcher's last name is the same as the browser he is testing!
  • by Anonymous Coward on Friday January 04, 2008 @11:25AM (#21909454)
    I'm having a hard time calling this a *bug*. I would rather call it a presentation problem.

    Then again, what's the problem?

    The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.

    Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/ [avivraff.com]".

    So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
    What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.

    Just my 2 AC cents (too lazy to create an account for just that)
    • by stony3k (709718)
      Mod parent up. This is exactly what the fault is. Firefox needs to present the details better, that's all.
    • by Todd Knarr (15451)

      Agreed. Banning spaces in the realm would violate the RFCs and make descriptive realms (eg. "Google Checkout") less feasible. I simply remember that the authentication dialog format isn't under the control of the site, which means that the URL at the end is the URL (technically a prefix) the username and password will be used by. If I see something like his example that appears to imply otherwise, it means the site's trying to play games and I should ignore the implication and trust my browser: the URL at t

  • I am still with 1.5, it's a memory hog and doesn't do everything that the latest version does and I am not even sure that it doesn't have the same vulnerability, but I am just not interested in FF2 and/or FF3 for now. The versions switch too fast all in the name of more functionality but the basic security and memory questions are still unanswered.

    Here is the real question: How do you really know that your browser is safe at all? You can download the code and read it, but I believe it is not just about co
    • Re:FF1.5 (Score:4, Insightful)

      by dvice_null (981029) on Friday January 04, 2008 @12:05PM (#21909934)
      > Here is the real question: How do you really know that your browser is safe at all?

      Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.

      That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.
      • by roman_mir (125474)
        My browser has no plugins, no flash, the js is disabled. I use it only for reading text basically, so it doesn't matter much which version it is.
        • by jesser (77961)
          Some browser vulnerabilities can be exploited without plugins or JavaScript, so even if you have those disabled, you'll be safer if you update to a current version.
    • by BenoitRen (998927)

      A new version once a year is too often for you?!

  • I always use my own bookmarks or type the url of the site i wish to visit & of course I never save any user/passwords in my browsers, I always reccomend to my clients to use password storage software to save passwords never the browser & always use bookmarks, theres so many dogey sites out there now, sometimes i find my clients are afriad to click links on sites after i inform them of all the nastyness out there. just my 2 cents worth.
    • I always use my own bookmarks or type the url of the site i wish to visit

      Say you're trying to buy something online. One typical use case is the following:

      1. The seller's web site directs the buyer to a third-party payment processor such as PayPal, WorldPay, Amazon, or Google. Seller gives the seller's identity, a summary of the order, and an amount to the payment processor, and redirects the buyer to the payment processor.
      2. The buyer authenticates to the payment processor, commonly using a password over TLS.
      3. The buyer inspects the seller's identity claims, the order summary, and

"How do I love thee? My accumulator overflows."

Working...