Firefox Spoofing Bug Puts Passwords At Risk 157
A reader writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"
An honest Security Bug (Score:5, Informative)
Youtube video (Score:5, Informative)
http://youtube.com/watch?v=NaCPw1s3GFw [youtube.com]
How different browsers handle this (Score:2, Informative)
Re:Please enter your credentials here: (Score:3, Informative)
So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.
If another site mimics the exact realm, the username/password is sent to that site as well.
Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks [apache.org]
Re:Show me the demo!! (Score:1, Informative)
Some much more informative links (Score:3, Informative)
and
http://www.kriptopolis.org/falsificando-dialogos-firefox [kriptopolis.org] (Spanish)
Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!! (Score:2, Informative)
Re:Please enter your credentials here: (Score:3, Informative)
That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.
The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.
On the other hand, Basic authentication isn't widely used, so I guess most people wouldn't encounter ill effects of such a "feature", and most browsers only remember passwords based on the domain name anyway. The chances of anyone accessing a legitimate site that uses Basic authentication and then accessing an illegitimate site that happens to use the exact same realm name in the same browser session are pretty remote. Still, it seems a bit too simplistic for the modern web.
I've no idea how old that entry is, but I really do suspect it dates from earlier, simpler times. The server doesn't provide a Last-Modified header and I couldn't see a datestamp anywhere in the file.
Re:Show me the demo!! (Score:5, Informative)
Re:Phishing (Score:3, Informative)
No mainstream site uses it so they'll probably get confused rather than enter in their password.