Researchers find serious spoofing flaw in Firefox

Posted on Friday, Jan 04 2008 @ 19:53 CET by Thomas De Maesschalck
Security researchers have found a serious bug in Firefox which could be abused by criminals to dupe users into giving up their passwords:
Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.

According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.

Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site -- a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail -- that when clicked would display its usual log-on dialog. In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.
Source: PC World


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments