A common feature on many Web sites is a pop-up dialog box where users enter
their username and password. Before you enter your information in Firefox
next time, you might want to think twice. Security researcher Aviv Raff is
alleging that in the latest Firefox 2.0.0.11 release the pop-up dialog box for password entry can be
spoofed in a phishing attack.
“Mozilla Firefox allows spoofing the information presented in the basic
authentication dialog box, Raff wrote in an advisory. “This can allow an
attacker to conduct phishing attacks, by tricking the user to believe that
the authentication dialog box is from a trusted Web site.”
Raff explained that the vulnerability exists because Firefox doesn’t
‘sanitize’ all the characters in the authentication box for the realm value
that defines where the authentication is from. As such it is possible for an
attacker to maliciously craft a Realm value that looks as though the
password dialog box comes from a trusted site such as a financial
institution.
“When the victim clicks on the link, the trusted Web page will be opened in
a new window, and a script will be executed to redirect the new opened
window to the attacker’s Web server, which will then return the specially
crafted basic authentication response,” Raff wrote. In addition to the
advisory Raff has posted a video on YouTube
showing how the vulnerability can be exploited.
Mozilla Chief Security Officer Window Snyder in an e-mail sent to
InternetNews.com said that Mozilla is investigating the issue. Snyder also noted that Raff did not first properly inform Mozilla of the security issue.
“Aviv Raff first posted this information in a public forum,” Snyder
commented. “At Mozilla, we prefer that security researchers notify us of
potential issues by either filing a security sensitive bug in
https://bugzilla.mozilla.org or e-mailing security@mozilla.com. It helps us
keep users safe when security researches notify us before making details
publicly available, but we appreciate all contributions.”
Raff was not immediately available for comment.
As a workaround Raff noted in his advisory to avoid providing usernames and
passwords to Web sites that use the basic pop-up dialog box authentication
method.
Mozilla has had its share of issues with password related phishing and cross
site scripting vulnerabilities. The Firefox Password Manager was first revealed to
have security issues in November of 2006. Mozilla has since fixed some
of the issues with Password Manager though it is still a cause for concern
with some security researchers. In fact, a key part of the upcoming Firefox 3 release is a rewritten Password Manager.
“Firefox 3 has improved security UI to minimize the opportunities an
attacker has to lure a user into entering information where they shouldn’t,”
Snyder said.
The Firefox 3 final release is expected later this year. As Mozilla is
currently investigating Raff’s allegations, it is not yet clear when a
security update may be available for Firefox 2.0.0.11.
