BasicAuth dialog realm value spoofing

Window Snyder

1

Issue

The realm value in a basic authentication dialog may be spoofed by a attacker to trick users into thinking the authentication request is coming from a different, trusted site.

Impact

When displaying the basic authentication dialog, Firefox displays the actual source of the request at the end of the dialog text.  Some other browsers display the request source at the very beginning of the dialog text or as part of the pop-up window’s title bar, which may be less likely to be confused.

This may allow an attacker to craft basic authentication dialogs that are confusing to users and may result in users sending website credentials to phishing websites.

Status

Mozilla is currently investigating this issue and has assigned it an initial security severity rating of low.  You can follow this issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=244273

Credit

The issue was reported to the full-disclosure and bugtraq mailing lists by Aviv Raff.

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

One response

  1. Ronald van den Heetkamp wrote on ::

    I do think this is an issue, because it can confuse surfers in a great deal. When they see a trusted dialog, they usually click on ‘OK’ without a second thought.

    Besides the issue, I still can’t grasp the rating Mozilla gives to exploits or browser issues. IMHO there isn’t any way of rating exploits in security. You deliver either secure or insecure software, Moreover phishing issues are the biggest threat off all because you can’t fix them.