hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs revealed Thursday a Firefox spoofing vulnerability which could allow Identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the "Realm" value of an authentication header. Raff was quoted as saying "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site."
Mr. Raff then outlined two possible attack vectors. One in which a malicious site that included a link to a trusted site — a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail — that when clicked would display its usual log-on dialog. But in the the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal. The other involved a more classical rigged email image or one embedded in a blog or website which would then present the user when clicked with a legitimate looking login dialog.
This vulnerability was shown to be in the latest Firefox, version 2.0.0.11 and until Mozilla fixes this vulnerability Mr. Raff recommends in his blog "not to provide username and password to Web sites which show this dialog."" Link to Original Source
This discussion was created for logged-in users only, but now has been archived.
No new comments can be posted.
Wouldn't hovering over the link before clicking show you in the status bar whether the link was genuine?
Really, all you have to do is look at the domain. Without this little ritual no "security" measure, not SSL nor anything else, can protect you. It makes all the difference in the world.
Not sure about this (Score:2)
Really, all you have to do is look at the domain. Without this little ritual no "security" measure, not SSL nor anything else, can protect you. It makes all the difference in the world.
Look before you click.