Feeds

Firefox spoofing bug raises phishing fears

Basic authentication sucks

Top 5 reasons to deploy VMware with Tegile

Flaws in the way the latest version of Mozilla Firefox presents authentication dialog boxes leave the door open for cybercrooks to trick users into handing over login credentials, a leading security researcher warns.

The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open source browser to sanitise single quotation marks and spaces in the "realm" value of an authentication header.

"This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," Raff explained.

Exploitation of the bug might involve embedding a rigged image on a MySpace page that would pose as a log-on dialog to Amazon.com, for example, while actually sending data to systems controlled by hackers. Alternatively, a hacker might attempt to trick users into visiting a maliciously constructed web page featuring a link to a trusted website. If a victim clicks on the link, the trusted web page will be opened in a new window. Meanwhile, in the background, a script will be executed to redirect the newly opened window to the attacker's web server, returning the specially crafted basic authentication response.

Firefox 2.0.0.11 is vulnerable to the issue, according to Raff. Previous versions of the popular open source browser may also be flawed.

Raff has posted an advisory explaining the vulnerability and its possible misuse in phishing attacks. The advisory links to a video illustrating the exploit, also created by Raff, that shows the misuse of the flaw to spoof Google Checkout. A low-resolution version of the video (as below) has been posted onto YouTube.

Mozilla researchers are investigating the issue. Pending the availability of a fix Raff, who's previously discovered vulnerabilities in Google's Toolbar and Apple's Safari web browser, advises users of the open source browser to avoid providing username and password information to sites displaying the dialog. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.