Firefox Spoofing Bug Puts Passwords At Risk 157
A reader writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"
Phishing (Score:5, Insightful)
Re:Show me the demo!! (Score:4, Insightful)
Please enter your credentials here: (Score:5, Insightful)
Re:Phishing (Score:4, Insightful)
Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.
Given that, they should fix this immediately.
Re:Please enter your credentials here: (Score:2, Insightful)
Re:An honest Security Bug (Score:5, Insightful)
It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.
Who pays attention to realm, anyway? (Score:4, Insightful)
I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.
Sam
Just wondering (Score:2, Insightful)
More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the only good bug is a dead one.
Sorry, but I'm calling BS (Score:3, Insightful)
Then again, what's the problem?
The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.
Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/ [avivraff.com]".
So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.
Just my 2 AC cents (too lazy to create an account for just that)
Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!! (Score:1, Insightful)
Re:FF1.5 (Score:4, Insightful)
Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.
That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.
Re:Show me the demo!! (Score:3, Insightful)
I'm certainly not following any other links from their site. I'd probably end up on goatse.cx or something.
Re:Please enter your credentials here: (Score:3, Insightful)
Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit the damn info already" habits...