We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Firefox attacked by spoofing bug

Users could disclose persona data

A serious flaw in the way Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, according to Aviv Raff, an Israeli researcher best known for ferreting out browser flaws.

Raff revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.

According to Raff, Firefox 2.0.0.11 - Mozilla's most current version - fails to sanitise single quotation marks and spaces in what's called the "Realm" value of an authentication header. Visit Security Advisor for the latest PC security news, reviews, tips and tricks.

"This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.

Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site - a well-known bank, say, or a web email service such as Gmail or Hotmail - that when clicked would display its usual log-on dialog.

In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.

Alternately, a rigged image could be delivered via email or embedded in a blog or MySpace page that when clicked generated a legitimate-looking log-on dialog.

Raff's video - a lower-resolution version is on YouTube - shows a spoof of Google's Checkout payment system.

"Until Mozilla fixes this vulnerability, I recommend not to provide username and password to websites which show this dialog," said Raff in his blog.

The company last patched Firefox in late November when it updated the browser to 2.0.0.11. Thursday, Mozilla's chief of security, Window Snyder, would only say that her team is investigating Raff's claims. Visit Broadband Advisor for the latest internet news.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

Watch this heartwarming Christmas short by Trunk for composer John Rutter

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad