Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
The Internet Mozilla Security

Firefox Spoofing Bug Puts Passwords At Risk 157

Posted by Zonk from the please-keep-the-fox-in-the-pen dept.
A reader writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header. Raff was quoted as saying 'This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site.' This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog 'not to provide username and password to Web sites which show this dialog.'"
This discussion has been archived. No new comments can be posted.

Firefox Spoofing Bug Puts Passwords At Risk More

Firefox Spoofing Bug Puts Passwords At Risk

Comments Filter:

  • Phishing (Score:5, Insightful)

    by JCSoRocks ( 1142053 ) on Friday January 04, 2008 @10:58AM (#21909146)
    Ugh, This is basically just another form of phishing. Who follows links to websites that require a username / password anymore anwyay? If I want to go to gmail, my bank, whatever, I'm definitely not going to follow a link from some random website or e-mail. I'm going to type in the URL and login. Don't get me wrong, it'll be good to see this patched - But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

  • Re:Show me the demo!! (Score:4, Insightful)

    by gEvil (beta) ( 945888 ) on Friday January 04, 2008 @11:00AM (#21909172)
    Well, he apparently has a demo video up on YouTube (hey, videos are better than nothing). Unfortunately, PCWorld would much rather give me links to searches on their own site instead of a USEFUL link to the actual video...

  • Please enter your credentials here: (Score:5, Insightful)

    by PrescriptionWarning ( 932687 ) on Friday January 04, 2008 @11:01AM (#21909176)
    What's really to stop someone from popping up a screen that says "Please enter your PayPal username and password below:" anyway? I mean all they gotta do is set up some simple html page that kinda looks official and you can be sure that you'll get more than a handful of dummies who'll actually put it in. I have to wonder when things stop being considered the fault of the program and start being the fault of the user.

  • Re:Phishing (Score:4, Insightful)

    by jlarocco ( 851450 ) on Friday January 04, 2008 @11:06AM (#21909228) Homepage

    But basically this vulnerability only matters if you're the same kind of person that falls for phishing.

    Haven't Firefox zealots been pushing Firefox to the "kind of person that falls for phishing"? I was under the impression that "being secure" was one of their big selling points that they liked to talk about.

    Given that, they should fix this immediately.

  • Re:Please enter your credentials here: (Score:2, Insightful)

    by hotrodent ( 1017236 ) on Friday January 04, 2008 @11:08AM (#21909250)
    Agreed, and heck, I'm a big Firefox advocate. But would you react the same way if the fault had been found in IE instead? A bug is a bug and needs to be fixed. Users will ALWAYS be users - that'll never change.

  • Re:An honest Security Bug (Score:5, Insightful)

    by mhall119 ( 1035984 ) on Friday January 04, 2008 @11:09AM (#21909262) Homepage Journal
    Look at the type of bugs, not just the number. One spoofing vulnerability does not compare to one remote code execution vulnerability.

    It's like saying there are 10 ways a thief can trick a Toyota user into handing over their car keys, but only 1 way a thief can remotely start your Lexus and drive it wherever they want without you even realizing they've done so. Therefore Toyota's are less secure. Or, conversely, it's like saying paper is more dangerous than dynamite, because more people get paper cuts than blow themselves up.

  • Who pays attention to realm, anyway? (Score:4, Insightful)

    by samjam ( 256347 ) on Friday January 04, 2008 @11:12AM (#21909304) Homepage Journal
    Who pays attention to realm, anyway?

    I've always interpreted the realm as an advisory comment for the dialog box, and used the URL of the website to indicate whether or not I want to give up a password.

    Sam

  • Just wondering (Score:2, Insightful)

    by mariuszbi ( 1113049 ) on Friday January 04, 2008 @11:14AM (#21909328)
    AFAIK the passwords sent like this are still plain text, no encryption whatsoever. So the question rises : What site still uses this kind of primitive login?! No commercial sites, I guess. Another problem that makes this attack unlikely is that the user doesn't expect a dialog to appear, he wants the web_site_standard_login_form.

    More problems come from giving the user an identical page hosted on some evil server, in that case the user expects to see the login form.Then again, a bug is still a bug, and the only good bug is a dead one.

  • Sorry, but I'm calling BS (Score:3, Insightful)

    by Anonymous Coward on Friday January 04, 2008 @11:25AM (#21909454)
    I'm having a hard time calling this a *bug*. I would rather call it a presentation problem.

    Then again, what's the problem?

    The standard Firefox HTTP auth dialog says "Please enter the username and password for $REALM at $URL". Note the included URL to prevent phishing.

    Now what Mr Raff does is basically set up $REALM as "Google Checkout (https://www.google.com) for more details see my page at" and $URL as the domain name he controls. The whole thing looks like: Please enter the username and password for Google Checkout (https://www.google.com) for more details see my page at http://avivraff.com/ [avivraff.com]".

    So no, I haven't looked at the HTTP RFC, but I am not sure that forbiding spaces and quotes in HTTP auth realms is the answer.
    What Firefox actually needs is just a better, more fail-safe presentation of the data on this dialog.

    Just my 2 AC cents (too lazy to create an account for just that)

  • Re:SLASHDOT CENSORSHIP: 1984 IS HERE!!! (Score:1, Insightful)

    by Anonymous Coward on Friday January 04, 2008 @11:50AM (#21909738)
    what power?

  • Re:FF1.5 (Score:4, Insightful)

    by dvice_null ( 981029 ) on Friday January 04, 2008 @12:05PM (#21909934)
    > Here is the real question: How do you really know that your browser is safe at all?

    Well first thing is to make sure you are using the latest version. E.g. not using FF 1.5, which doesn't anymore get security updates at all.

    That is pretty much all you need to do if you are a normal user. If you need superiour security, then you run the browser in a sandbox.

  • Re:Show me the demo!! (Score:3, Insightful)

    by MMC Monster ( 602931 ) on Friday January 04, 2008 @01:01PM (#21910724)
    Especially when the sentence says that a link to the video is provided.

    I'm certainly not following any other links from their site. I'd probably end up on goatse.cx or something.

  • Re:Please enter your credentials here: (Score:3, Insightful)

    by Bearhouse ( 1034238 ) on Friday January 04, 2008 @03:23PM (#21912814)
    Indeed. Slightly offtopic, but the really bad thing is that eBay and Paypal do just this, (popup screens across sites). The first time I was asked to verify my Paypal details when trying to pay for something on eBay, I spent a long time noting the different pieces of info, then backed out and rechecked, before submitting any more sensitive info, (Paypal ID and CC numbers).

    Yes, browser faults are serious and should be fixed, but a bigger problem is sloppy coding of sites that get people into bad "submit the damn info already" habits...

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close