Firefox basic authentication spoofing details and video

Researcher Aviv Raff found out that Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box. This can allow an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website.
Mozilla Firefox v2.0.0.11 is affected. Prior versions and other Mozilla products may also be affected.

Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the “WWW-Authenticate” header. In order to specify basic authentication, the “WWW-Authenticate” header should have the value [Basic realm=”XXX”]. The Realm value, which in this case is XXX, will be displayed in the authentication dialog window.

While Firefox does not display the characters in the “WWW-Authenticate” header Realm value after the last double-quotes (“), it fails to sanitize single-quotes (‘) and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted web site.

Mr Raff notes two possible attack vectors:

An attacker creates a web page with a link to a trusted website (e.g. Bank, PayPal, Webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker’s web server, which will then return the specially crafted basic authentication response.

An attacker embeds an image (pointing to the attacker’s web server, which will return the specially crafted basic authentication response) to:

1. A mail which will be sent to a webmail user.
2. RSS feed which will be consumed by a web RSS reader.
3. A forum/blog/social network page.

Video showcase of the vulnerability:

Share this