<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication



On Thu, 3 Jan 2008, avivra wrote:

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Although it's amusing Firefox filters '"' in this prompt to begin with, rather than designing it more wisely not to render attacker-controlled text inline (use a table view below instead!), I'm not sure that the ability to use single quotes (or other homoglyphs) makes the attack considerably more dangerous.

Note that any person familiar with the dialog is unlikely to be confused by this prompt, as a clear indication of the originating site, consistent with the design of this dialog, is preserved ("...at http://avivraff.com";). As such, I would certainly not go as far as recommending "not to provide username and password to web sites which show this dialog" - that's an overkill. Just don't trust self-contradictory or unusually structured dialogs - you never should.

Naturally, any person *not* used to seeing this dialog might be eager to enter his credentials there, lulled by the tech lingo - but that's a general complaint about browser design that is in no way specific to Firefox; the same person would be likely to give out his password to:

  prompt("Please enter your password for foocorp.com (certified by Verisign)")'.

...simply because a systemic failure of browser vendors to provide user-friendly security signaling and UI behavior (along the lines of: "as far as we're concerned, any person with no understanding of SSL, HTTP, and DNS had it coming and should die in a fire").

Just my $.02 (and with the exchange rates today, that's not a whole lot!),
/mz