A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.
Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.
According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.
Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site -- a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail -- that when clicked would display its usual log-on dialog. In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.
Alternately, a rigged image could be delivered via e-mail or embedded in a blog or MySpace page that when clicked generated a legitimate-looking log-on dialog.
Raff's video -- a lower-resolution version is on YouTube -- shows a spoof of Google Inc.'s Checkout payment system; it can be downloaded from here.
"Until Mozilla fixes this vulnerability, I recommend not to provide username and password to Web sites which show this dialog," said Raff in his blog.
The company last patched Firefox in late November when it updated the browser to 2.0.0.11. Thursday, Mozilla's chief of security, Window Snyder, would only say that her team is investigating Raff's claims.
Haha... this is the first instance of actual exploitation of FireFox that I've ever heard of.
I was expecting this. Unfortunately.
So from what I understand, this is a more advanced version of a phishing scheme where the link pulls the actual login page of the trusted site? Wouldn't you be able to see where it actually goes if you viewed the source? Does the exploit allow injection of code to specify where the destination of the receiving server is on the fly? I'm sort of confused as to how oblivious we can be to it. (I'm assuming that you can't just look at the address bar anymore.)
I looked into this a little more, and this apparently is old news brought into new light.
The spoofing bug made an appearance back in the day in the way of code injection, as I guessed. You can see if it works on your browser here, thanks to Secunia.
However, I'm not sure yet if it actually is done in the same manner in this re-appearance.
The easiest way to keep yourself protected, if this was the case, is by not entering any information at all until they make a patch. Since that's not going to happen, fall back on your AutoComplete bank of user names and passwords that you were too lazy to type out before. And if you don't have AutoComplete enabled, then I suggest that you not enter any data into a website that opened up in a new window or frame, or only have one site open at a time, since the script needs to exist in one spot in order to inject it into another website opened in another window, which possibly could be named and easily targeted.
I'll post more information as I come upon it.
-
Edit: The video of the exploit in action can be viewed here. Problem is that there's no sound to narrate you on what's going on... and this just looks painfully-obvious, thanks to the frequency of form-based credential input as opposed to the pop-up dialog.
And of course, still obvious if you open up a new window to log in.
When in doubt, don't log in. And also, you would have to access your trusted site from an untrusted source, wouldn't you? Otherwise, they can't load their redirection script.
And if you did fall for it, just change your password. Hopefully you didn't leave any other more confidential or sensitive information with that misstep.
-
Edit Edit: Aviv Raff's advisory. Basically showing how obvious this is and advice on avoiding it... which you already read here.
I am not able to adjust frames length/width in a frameset using java script functions I am using
firefox 3. In below code changerows is not working for me. Where as same is working in IE6.
Please help me in resolving this issue. Note: here frameset1 is the name given to the FRAMESET.
CODE function changeRows() { parent.frameset1.rows="30%,70%" }function
restoreRows() { parent.frameset1.rows="50%,50%" } ....
How To Disable Firefox's Awesome Bar Many people are struggling to find the benefits of
the so-called Awesome Bar as one member so truthfully pointed out , the smart tag makes your
viewing "illicit" sites more obvious, particularly when people are peering over as you're typing
keywords in /tongue.gif" style="vertical-align:middle" emoid=":P" border="0" alt="tongue.gif" />
Anyway, for those of us who are too lazy to clear their history at the appropriate times, there are
two steps to disabling its function entirely: Type about:config into the locat....
HI, All I have installed phpBB 3.0.1 and when browse it the style not displayed correctly on
firefox 2.0.12 but IE6. I have tested my browser ( firefox ) it is fine on other forums ( phpBB ).
After checking all the settings, I found that the style on firefox not downloaded correctly. Is
there any settings could get rid this issues ? Thanks P.S. I have also installed a bug tracker. It
is work fine. Eric, phpBB 3: http://devdoc.qupis.com/forum/ mantis:
http://devdoc.qupis.com/bugs/ ....
I was only recently made aware of the release of Firefox 3, having not been notified by Firefox, and
problems with my internet connection that caused Trap17 and similar websites to slow to snails-pace,
so I ended up missing the download day and haven't got it yet. The thing is though, I've
been hearing a lot of negative press about it. I know that there was concern that Firefox would
break Flash support a while ago, which was fixed, and I hear it's kind of restrictive as to
downloading addons and junk. Now, I did actually test Firefox 3 Beta 5, and my only ....
Pliz don't get me wrong! I love Firefox and I'll be one of the people who will download
the browser on the download day. Although this is my browser of choice I still think these mguys
have gone too far with this download record thing. I saw this blog titled Will Firefox 3 set
a new world record? and I couldn't help but laugh at such an obsession. Can someone
really brag about a record that after working so hard to force us to propell them to the top. I
think if anyone needs such a record they should just market their product, make it appe....
http://people.mozilla.com/~beltzner/overview-of-firefox3.swf I saw this a few days ago but it
recently popped up on Digg. Thought it was a cool look at Firefox 3. The new address bar seems to
be the biggest addition to Firefox 3 and honestly I hate it with a passion. I use Firefox 2 on my
windows system, but both work and my roomates computer ( which I use more then she does. >. First I
don't want my porn history randomly popping up while I'm searching for "big" trucks or
something ridiculous like that. Also it's kind of intrusive as it just seems out o....
As many of you know Firefox will be attempting to set a world record on "Download Day" - Date to be
announced. As most people on this forum have taste and use firefox I think it would be great that on
the day we could have a post where whenever someone downloads can post in, then we can take a
screenshot of it and send it to mozilla. It could be in the guest forum or a members forum but
obviously nothing with post count, I just want to know what the admins/mods fink of this idea? for
more information and I suggest you read this go to ....
Hi, I've tried to make a webpage in HTML using the frameset tag. Here is the code of the
webpage Sai's Makeshift Wiki And it's not displaying in Firefox. (I
mean is shows a blank page) It will show up in safari (I'm a mac user), all pages individually
work on firefox, just not the above page. Any ideas as to why? Thanks....
I found this trick today, and there is a big warning because of what it will do and that it my crash
your browser. I haven't tried this hack out yet, but I let someone else be my guinea pig for
that /laugh.gif" style="vertical-align:middle" emoid=":lol:" border="0" alt="laugh.gif" /> QUOTE
I can't repeat this enough. DO NOT TRY THIS unless you are comfortable editing the advanced
preferences of your browser. And don't do anything until you've read through this entire
post. Don't say I didn't warn you. In my experience, extensions that work....
This piece of news only affect Vietnamese users as the Vietnam language package was infected with
malware trojan called e Xorer, and so if you downloaded this language pack in the last few weeks run
a scan and the trojan should be picked up. Although this trojan is only a couple of months old and
so I don't think everyone has something for it, but check at your vendors website and see if
they have a solution for it. As for the cause of this infected plugin, they assume the authors
computer was infected at the time when they upload this plugin to the mozilla website....
QUOTE Many people are switching from Internet Explorer to alternative browsers such as Firefox
and Safari. Though that might make them feel more secure, the shift has also opened new doors for
bad guys. Case in point: We have no IE bugs to report this month, but both Firefox and Safari have
been hit hard. So forget the idea that just because you've switched to a new browser,
you're magically safer. You may be for a time, but to stay safe with any software, you need to
keep current with fixes. Firefox Holes In a somewhat dubious recognition of Firefox's....
Basically i want a code to redirect people to a different page if they're using anything but
firefox, there are codes for it but i cant find 1. If anyone can give me a hand it would be
appreciated!!!....
If you use FireFox as compared to IE, You'll see just in the way pages are viewed the feel and
look of them are smoother the IE's rough view of sites. You may not know what I mean, but think
of how smooth firefox is compared to other browsers. safari is smooth, but still rough, and Opera
is a little rough like IE too, I think FireFox is the most user friendly and smoothest.....
No seriously, I've been using Firefox since 0.x releases. I loved it. Every release, despite
having no huge features, was a great update. Version 3, however, totally messes everything up. Its
default interface is ugly. And no Home button, really ??? (ps. I kno i can drag it back from the
bookmarks toolbar but still, its stupid). The address bar search thing. I liked the concept, but I
am so used to the old way, this actually distracts me, I don't want to search my history
everytime I type a new address. Plus the slide out is huge now making the whole thing feel t....
There will be a google search box at the top right corner (by default) If you have browser
Firefox, you should have and Google search box. You could not only search with this thing, but also
make calculations. It also calculates sin, cos, exponentiation, square… You could use it instead
of windows calculator /smile.gif" style="vertical-align:middle" emoid=":)" border="0"
alt="smile.gif" />....
Hi all Ive had this problem for a little while now, i cant say exactly when but it started with
sites such as youtube and has spread out from there really, the biggest culprits are youtube and
myspace. The issue is that if i was on youtube and wanted to watch a video i would obviously click
the link, firefox would then show the loading bar and my page loading timer would start but it would
never actually begin loading, the status bar would say "loading" or if i clicked the link again it
would show "stopped" yet the loading bar would be there. Needless to say the loadin....
Microsoft Firefox http://www.msfirefox.com/ this is a must check for all users, funny
/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />....
I have had a go at making a website using CSS to dictate the layout (no tables used) and it works
quite nicely in firefox but when i open it in IE it completely mangles the whole layout. Can
someone tell me some techniques to prevent this and maybe point me to some helpful pages. Thanks.....
Well since Fire fox got updated and I have got the universal package browser for web design I
thought why not share it to those who do not know about these tools so here we go. I will explain
each tool and what it is used for and then give you the simple instructions on where to get it and
where to find it. First download Firefox http://www.mozilla.com/products/download.h...&lang=en-US
then install it and your set from there, Now for the plug-ins and add-ons. ColorZilla What
this program does is that once you select it a small ink dropper icon will show up and ....
This is s little tip that you can make your Internet Explorer browser can run fast as Firefox
browser. You can make it by following the step by step below step 1: first you go to start menu
and then choose run. step2: After you choose run,it appears a little box,then you can type regedit.
step3:Find the key that you need by following this HKEY_CURRENT_USER \ Software \
Microsoft \ Windows \ CurrentVersion \ InternetSettings step4:On the right box,right
click and choose new ,then continue choose DWORD Value step5:type into the box : MaxConnec....
Ok, I wasn't too sure weither this topic would be better under Internet or Software, so if it is
in the wrong place please forgive me. I have a question about web browsers. I currently use
Firefox and I was wondering if there is a way to get FireFox to display CSS Scrollbars, like Opera
and Internet Explore do. I've currently looked at the FireFox Add-On site and did a few
searches on Google and I have come up with nothing and I'm getting a strange suspision that
there is no way to do such a thing. If anyone can help I will be forever grateful. /biggri....
QUOTE The hot new Firefox plug-in takes browser customization to a whole new level by letting
users filter site content or change page behaviors. The glory of open-source software is that it
allows anyone with the inclination and the scripting knowledge to get under the hood and hot-rod
their computing environment. But most of the time, that advantage is available only to people with
the programming skills to make the changes they want. That's where Greasemonkey, a free plug-in
for Firefox, comes in -- it simplifies hacking the browser. Released at the end 2004....
CODE <HEAD> var popUpWin=0; function popUpWindow(URLStr) {
if(popUpWin) { if(!popUpWin.closed) popUpWin.close(); }
popUpWin = open(URLStr, 'GunBound Tactics: Screenshots',
'width=820,height=550,menubar=no,resizable=yes,scrollbars=yes,toolbar=no,top=90,left=90')
;; } </HEAD> <BODY> <a
href="javascript:popUpWindow('/f11/clipped.php');"><b>Clips&
#60;/b></a> This is a script for opening a new window. It works ....
Hi guys, Our beloved FireFox Browser hit the 50 million -th download mark today. We were all
present at their irc room on irc.mozilla.org channel #spreadfirefox and had a gala party with a
whole bunch of people from around the world - taking part in the countdown. I managed to catch a
snapshot of their live counter at 50 million and 1 downloads - here's the Snapshot: This
was by far one of the most exciting online events I took part in recently... 50 million Cheers to
FireFox /wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /> ....
I have a serious problem with Firefox: the cookies for some sites do not work. In other words, when
I'm logged into a site, like as the admin on my gallery for example, my session ends
immediately. My session behaves normally when I'm logged into my email services, but my cookies
behave really weird in other sites. I have two solutions to this, one drastic and the other not
drastic. I can either format my computer and start from scratch, or I can completely rid of computer
of any traces of Firefox, including ALL history, passwords saved, cookies, and cache. I&#....
At one time Opera was the fastest available web browser, that time has ended. By default firefox has
its turbo features shut off due to an error it used to display with tables. Use the tutorial below
to add 200shots of nos to firefox, and increase page speeds up to 4 times, making firefox the
fastest browser. 1) Open Firefox and on the address bar write about:config and hit enter
network.http.pipelining double click and change the value to true
network.http.pipelining.maxrequests double click and change the value to 34
browser.turbo.enabled double click a....
Hey guys, Lemme know what you think abou the Mozilla Firefox browser. I personally think it out
runs Microsoft Internet Explorer mainly cos of the convenience of having all the windows in one main
window, plus enhanced security features. What do you think? Cheers! Yasir /smile.gif'
border='0' style='vertical-align:middle' alt='smile.gif' /> ....
I see as firefox as my main choice but its really up to you on what you choose: Firefox is an
open-source (Wired mag) Internet browser, thought up by a 18 year old (completed when 19) after many
frustrations with Internet explorer. It has a built in pop up blocker that has never once fail me,
and is 100% skinnable. It includes TABS, which is a fature that lets you see more than one page in
one window. Because of its new scent, noone has bagan to look for a way to deliver viruses thrrough
the browser. It has promoted its service by Spreadfirefox.com, which gives of webba....
Express your Opinions, Thoughts or Contribute more info. to help others.
Ask your Doubts & Queries to get answers, So that "Together We can help others!"
Register FREE for AD-FREE
forum, Create your own topics, Ask Questions, track topics, setup
subscriptions & notifications and Get a Free Website w/ Email and FTP.
And if you don't have AutoComplete enabled, then I suggest that you not enter any data into a website that opened up in a new window or frame, or only have one site open at a time, since the script needs to exist in one spot in order to inject it into another website opened in another window, which possibly could be named and easily targeted.
