Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

[Michal Zalewski <lcamtuf@xxxxxxxx>]

On Thu, 3 Jan 2008, avivra wrote:

> http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Although it's amusing Firefox filters '"' in this prompt to begin with, 
rather than designing it more wisely not to render attacker-controlled 
text inline (use a table view below instead!), I'm not sure that the 
ability to use single quotes (or other homoglyphs) makes the attack 
considerably more dangerous.

Note that any person familiar with the dialog is unlikely to be confused 
by this prompt, as a clear indication of the originating site, consistent 
with the design of this dialog, is preserved ("...at 
http://avivraff.com";). As such, I would certainly not go as far as 
recommending "not to provide username and password to web sites which show 
this dialog" - that's an overkill. Just don't trust self-contradictory or 
unusually structured dialogs - you never should.

Naturally, any person *not* used to seeing this dialog might be eager to 
enter his credentials there, lulled by the tech lingo - but that's a 
general complaint about browser design that is in no way specific to 
Firefox; the same person would be likely to give out his password to:

  prompt("Please enter your password for foocorp.com (certified by Verisign)")'.

...simply because a systemic failure of browser vendors to provide 
user-friendly security signaling and UI behavior (along the lines of: "as 
far as we're concerned, any person with no understanding of SSL, HTTP, and 
DNS had it coming and should die in a fire").

Just my $.02 (and with the exchange rates today, that's not a whole lot!),
/mz