Firefox Spoofing Bug Puts Passwords At Risk

A reader writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"

An honest Security Bug

[pembo13]

Hope the Firefox guys can get to it quickly, but it doesn't sound too serious. In the mean time, people need to practice the whole watching where you browse idea.

Youtube video

[sucker_muts]

Youtube video mentioned in the article:

http://youtube.com/watch?v=NaCPw1s3GFw [youtube.com]

 

How different browsers handle this

[amolapacificapaloma]

A spanish website with screenshoots of how this is handled by IE6, Firefox, Opera and Konqueror: http://www.kriptopolis.org/falsificando-dialogos-firefox [kriptopolis.org]

Re:Please enter your credentials here:

[Basje]

Because the realm is the identifying element of authentication. The username/password combo automaticly resent if the realm matches.

So if you first logon to paypal and afterwards to another page on the same realm, you don't need to retype the username/password.

If another site mimics the exact realm, the username/password is sent to that site as well.

Details here: http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks [apache.org]

Re:Show me the demo!!

[Anonymous Coward]

http://youtube.com/watch?v=NaCPw1s3GFw [youtube.com]

Some much more informative links

[Anonymous Coward]

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx [raffon.net]

and

http://www.kriptopolis.org/falsificando-dialogos-firefox [kriptopolis.org] (Spanish)

Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!!

[PatrickThomson]

The power of voodoo, duh.

Re:Please enter your credentials here:

[totally bogus dude]

That doesn't sound right to me, but I'm not going to test it because I'd rather to go to bed.

The realm is not a trusted string in any way, shape, or form, and if a browser did automatically hand out your username and password to any site claiming the same "Realm" it should cause quite a stir in the security community. Reasonably, I'd expect browsers to follow the specs you linked to in the Apache docs but only within the same domain.

On the other hand, Basic authentication isn't widely used, so I guess most people wouldn't encounter ill effects of such a "feature", and most browsers only remember passwords based on the domain name anyway. The chances of anyone accessing a legitimate site that uses Basic authentication and then accessing an illegitimate site that happens to use the exact same realm name in the same browser session are pretty remote. Still, it seems a bit too simplistic for the modern web.

I've no idea how old that entry is, but I really do suspect it dates from earlier, simpler times. The server doesn't provide a Last-Modified header and I couldn't see a datestamp anywhere in the file.

Re:Show me the demo!!

[Kijori]

Here it is: http://youtube.com/watch?v=NaCPw1s3GFw [youtube.com] I made the same mistake of clicking on the PCWorld link expecting it to go to the actual video... how naive of me...

Re:Phishing

[cheater512]

This only works on the actual HTTP authentication stuff, not web forms.
No mainstream site uses it so they'll probably get confused rather than enter in their password.