Firefox Spoofing Informations In The Basic Authentication Dialog Box


Some days ago, I went through a blog called Aviv Raff On.NET, run by Aviv Raff, and it had a really interesting post about a Firefox 2.0 vulnerability: whenever an authentication dialog box shows asking for a user name and password in order to access a web-site, there can be two possible attacks that you might be running into.

security-vulnerability.JPG

In order to avoid it, apart from using your good sense in visiting trusted sites, you can have a look at our Mini-Guide: How To Avoid Hacker Attacks And Make Firefox More Secure.

Here is what Aviv has discovered:

Summary

Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box. This can allow an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website.

Affected versions

Mozilla Firefox v2.0.0.11.
Prior versions and other Mozilla products may also be affected.

Technical details

Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the “WWW-Authenticate” header. In order to specify basic authentication, the “WWW-Authenticate” header should have the value [Basic realm="XXX"] (without the brackets). The Realm value, which in this case is XXX, will be displayed in the authentication dialog window.

While Firefox does not display the characters in the “WWW-Authenticate” header Realm value after the last double-quotes (“), it fails to sanitize single-quotes (‘) and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted web site.

There are at-least two possible attack vectors:

  1. An attacker creates a web page with a link to a trusted website (e.g. Bank, PayPal, Webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker’s web server, which will then return the specially crafted basic authentication response.
  2. An attacker embeds an image (pointing to the attacker’s web server, which will return the specially crafted basic authentication response) to:
    1. A mail which will be sent to a webmail user.
    2. RSS feed which will be consumed by a web RSS reader.
    3. A forum/blog/social network page.

A video which demonstrates the first attack vector can be found on YouTube. A better quality video can be download from here.

A video of a real live attack on a forum, which used basic authentication but without exploiting the vulnerability, can be found on Zull’s weblog (Hebrew).

  • Digg
  • Delicious
  • Yahoo Buzz
  • Technorati Favorites
  • Twitter
  • StumbleUpon
  • Google Bookmarks
  • Share/Bookmark
Posted by Nicolo' Canali De Rossi on January 7, 2008 at 9:32 pm and filed under News.

Post a Comment or Leave a Trackback

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

Creative Commons License
Browserland is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.
This site is not officially affiliated in any way with the Mozilla Corporation, Google or Apple