A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.
Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.
According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.
Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site -- a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail -- that when clicked would display its usual log-on dialog. In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.
Alternately, a rigged image could be delivered via e-mail or embedded in a blog or MySpace page that when clicked generated a legitimate-looking log-on dialog.
Raff's video -- a lower-resolution version is on YouTube -- shows a spoof of Google Inc.'s Checkout payment system; it can be downloaded from here.
"Until Mozilla fixes this vulnerability, I recommend not to provide username and password to Web sites which show this dialog," said Raff in his blog.
The company last patched Firefox in late November when it updated the browser to 2.0.0.11. Thursday, Mozilla's chief of security, Window Snyder, would only say that her team is investigating Raff's claims.
Haha... this is the first instance of actual exploitation of FireFox that I've ever heard of.
I was expecting this. Unfortunately.
So from what I understand, this is a more advanced version of a phishing scheme where the link pulls the actual login page of the trusted site? Wouldn't you be able to see where it actually goes if you viewed the source? Does the exploit allow injection of code to specify where the destination of the receiving server is on the fly? I'm sort of confused as to how oblivious we can be to it. (I'm assuming that you can't just look at the address bar anymore.)
I looked into this a little more, and this apparently is old news brought into new light.
The spoofing bug made an appearance back in the day in the way of code injection, as I guessed. You can see if it works on your browser here, thanks to Secunia.
However, I'm not sure yet if it actually is done in the same manner in this re-appearance.
The easiest way to keep yourself protected, if this was the case, is by not entering any information at all until they make a patch. Since that's not going to happen, fall back on your AutoComplete bank of user names and passwords that you were too lazy to type out before. And if you don't have AutoComplete enabled, then I suggest that you not enter any data into a website that opened up in a new window or frame, or only have one site open at a time, since the script needs to exist in one spot in order to inject it into another website opened in another window, which possibly could be named and easily targeted.
I'll post more information as I come upon it.
-
Edit: The video of the exploit in action can be viewed here. Problem is that there's no sound to narrate you on what's going on... and this just looks painfully-obvious, thanks to the frequency of form-based credential input as opposed to the pop-up dialog.
And of course, still obvious if you open up a new window to log in.
When in doubt, don't log in. And also, you would have to access your trusted site from an untrusted source, wouldn't you? Otherwise, they can't load their redirection script.
And if you did fall for it, just change your password. Hopefully you didn't leave any other more confidential or sensitive information with that misstep.
-
Edit Edit: Aviv Raff's advisory. Basically showing how obvious this is and advice on avoiding it... which you already read here.
i recently stumbled on lifehacker's guide to firefox 3 beta 5: Lifehacker's Guide to
FF3BETA5 i am courageous enough to ditch my firefox 2 installation and installed the latest beta
as my default browser.. here is the guide to remove firefox 2 completely so that you can start a
fresh installation of the beta 5 : Uninstalling_Firefox now that i have completely installed the
beta - i am deeply satisfied by the new features.. they said that the official release of firefox 3
is on june 2008 but i just can't wait to experience the new features this browser h....
No seriously, I've been using Firefox since 0.x releases. I loved it. Every release, despite
having no huge features, was a great update. Version 3, however, totally messes everything up. Its
default interface is ugly. And no Home button, really ??? (ps. I kno i can drag it back from the
bookmarks toolbar but still, its stupid). The address bar search thing. I liked the concept, but I
am so used to the old way, this actually distracts me, I don't want to search my history
everytime I type a new address. Plus the slide out is huge now making the whole thing feel t....
Yesterday was the biggest milestone in Firefox history they just hit 500 Million downloads of their
most famous software the Firefox web browser. All I have is WOW! and such a short time to of
course when you create a program that is more advance, more secured, and just plain out more better
then everyone else's, that number isn't that surprising because of the popularity it has
receive in under 4 years of being out there. Of course with Firefox 3 on it's way out I would
be surprised if it hits 1 billion in less the time though. SOURCE ....
Sometimes, when I get one page then have a youtube video, my Firefox over Linux (PCLINUXOS) slow
down. Sometimes it freeze. Anybody have the same situation/problem? How can I fix? Any special
config for solve my problem? ....
A new version of the Firefox browser, now available for testing mainly by developers, offers
improvements on finding frequently visited Web sites and tools for running Web applications without
a live Internet connection. The Beta 1 version of Firefox 3 released this week still has problems,
including the inability to run newer Web-mail programs from Yahoo Inc. and Microsoft Corp., and a
final version for consumers isn't expected for several months. But it offers a window on
what's to come. Many of its new features concern bookmarks, an area typically slow to ....
Well as we get closer and closer the release of Firefox 3.0, mozilla comes out with Alpha 8. In
this update it is security rich this time as they bring in anti-malware warnings and protection
against rogue extension updates. They also beefed up the security to the extension auto updates to
help prevent people from redirecting you to malicious sites because of the way the auto update
works. This time they have set it up in a way that it checks the url of the installation manifest
and makes sure its the correct one or it doesn't get updated. QUOTE "Firefox aut....
Hello Trap17 members, especially Firefox lovers and advocators! /smile.gif"
style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /> While testing the buoyancy
of my personal toy (my boat) I ran into the land called, Canada. There, I had to scavenge for some
ration to keep up with my day to day activities. Surprisingly, the land called Canada was hospitable
and plentiful in many diverse and exotic things. So I brought back some to share with my Trap17
community. Ha ha... Now that you've read the excitement in my words, I'd like to present
few....
I have a problem with FireFox .. when I enter to google.com or ebay.com or aol.com it changes the
domain automatically to .de (german domains) and shows me the german version of that website but
this doesn't happen with internet explorer and the setting in windows control panel are
English(United States) ... I think that there is an option in FireFox to change it ... do you know
how? /sad.gif" style="vertical-align:middle" emoid=":(" border="0" alt="sad.gif" />....
http://en-us.www.mozilla.com/en-US/firefox...4/releasenotes/ Release Notes, new feature
descriptions and a download link can be found at this linked page.....
Let have fun in Microsoft Internet Explorer and Mozilla FireFox today i want to show you a java
script trick. this code works on Microsoft Internet Explorer and Mozilla Fire Fox. in a website like
here, in address bar, copy and paste below java script and press Enter: CODE java
script:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200;
DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i
].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS....
FIREFOX 3 ALPHA using new engine >>>>www.mozilla.org/projects/firefox/3.0a1/releasenotes/ GRAN
PARADISO !!! are this new code will be bring a more security ???....
Microsoft Firefox http://www.msfirefox.com/ this is a must check for all users, funny
/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />....
For those who are using Firefox 2.0, there is an update reccomendation issued today for some fixes
to the Firefox Browser. Head over to the Download site and install a new version to have the fixes
added to your copy. http://www.firefox.com ....
I have had a go at making a website using CSS to dictate the layout (no tables used) and it works
quite nicely in firefox but when i open it in IE it completely mangles the whole layout. Can
someone tell me some techniques to prevent this and maybe point me to some helpful pages. Thanks.....
I never really liked Firefox just because i always thought it was just as good as my now 2nd
favorite browser, Opera. It had all the same capabilities and actually Opera was the first to have
tabbed browsing and is the safest of all of them. When I heard about the new Firefox i wanted to try
it out considering i needed it anyways to test out my websites. I got the iFox Smooth skin also to
test out the skins. I have to say i love it. The spell check it awesome. I would have downloaded
Firefox just for the spell check. What are your favorite new features? Have you even dow....
For all you firefox fans out there, Firefox has officially launched the 2.0 version (yes the evil
two point oh....). On oct 24th, numerous happy firefox users were notified of this update
/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />. Firefox
hasn't updated the browser for quite a while, and after Opera 9 came out, Firefox just lost its
users. And with IE 7 catching up, firefox needed to do better. And it did. First of all, we notably
see that the Firefox website www.getfirefox.com is now looking pretty snazzy. Other than the ra....
Hi,I've made some custom coding on a blog to make it look like i want it but i've noticed
that while in opera and firefox it looks perfectly, in internet explorer it look messed up.The
problem should be minor as long as there is little code just a couple of divs, some background
images and a few line of text-it's the home page which is small. Can you take a look and tell me
what to change there as long as i don't know very well the differences between browsers' way
of tackling css and html just to make it look the same in these browsers. It seems to m....
Hi guys, Our beloved FireFox Browser hit the 50 million -th download mark today. We were all
present at their irc room on irc.mozilla.org channel #spreadfirefox and had a gala party with a
whole bunch of people from around the world - taking part in the countdown. I managed to catch a
snapshot of their live counter at 50 million and 1 downloads - here's the Snapshot: This
was by far one of the most exciting online events I took part in recently... 50 million Cheers to
FireFox /wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /> ....
Hey guys, Lemme know what you think abou the Mozilla Firefox browser. I personally think it out
runs Microsoft Internet Explorer mainly cos of the convenience of having all the windows in one main
window, plus enhanced security features. What do you think? Cheers! Yasir /smile.gif'
border='0' style='vertical-align:middle' alt='smile.gif' /> ....
I see as firefox as my main choice but its really up to you on what you choose: Firefox is an
open-source (Wired mag) Internet browser, thought up by a 18 year old (completed when 19) after many
frustrations with Internet explorer. It has a built in pop up blocker that has never once fail me,
and is 100% skinnable. It includes TABS, which is a fature that lets you see more than one page in
one window. Because of its new scent, noone has bagan to look for a way to deliver viruses thrrough
the browser. It has promoted its service by Spreadfirefox.com, which gives of webba....
Express your Opinions, Thoughts or Contribute more info. to help others.
Ask your Doubts & Queries to get answers, So that "Together We can help others!"
Register FREE for AD-FREE
forum, Create your own topics, Ask Questions, track topics, setup
subscriptions & notifications and Get a Free Website w/ Email and FTP.
And if you don't have AutoComplete enabled, then I suggest that you not enter any data into a website that opened up in a new window or frame, or only have one site open at a time, since the script needs to exist in one spot in order to inject it into another website opened in another window, which possibly could be named and easily targeted.
