Firefox Hit With Spoofing Bug

[FlameX 0]

A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.
Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.

According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.

Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site -- a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail -- that when clicked would display its usual log-on dialog. In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.

Alternately, a rigged image could be delivered via e-mail or embedded in a blog or MySpace page that when clicked generated a legitimate-looking log-on dialog.

Raff's video -- a lower-resolution version is on YouTube -- shows a spoof of Google Inc.'s Checkout payment system; it can be downloaded from here.

"Until Mozilla fixes this vulnerability, I recommend not to provide username and password to Web sites which show this dialog," said Raff in his blog.

The company last patched Firefox in late November when it updated the browser to 2.0.0.11. Thursday, Mozilla's chief of security, Window Snyder, would only say that her team is investigating Raff's claims.

Notice from jlhaslip:

Plagiarised from:
Board Rules
Xisto Readme
Please do not cut and paste without quote tags.

Please read the information in the link provided. Thanks

[rayzoredge 2]

Haha... this is the first instance of actual exploitation of FireFox that I've ever heard of.I was expecting this. Unfortunately. So from what I understand, this is a more advanced version of a phishing scheme where the link pulls the actual login page of the trusted site? Wouldn't you be able to see where it actually goes if you viewed the source? Does the exploit allow injection of code to specify where the destination of the receiving server is on the fly? I'm sort of confused as to how oblivious we can be to it. (I'm assuming that you can't just look at the address bar anymore.)

[Liam_CF 0]

I haven't known of a bug in firefox before. How can we avoid being caught out by this?

[rayzoredge 2]

I looked into this a little more, and this apparently is old news brought into new light.

The spoofing bug made an appearance back in the day in the way of code injection, as I guessed. You can see if it works on your browser here, thanks to Secunia.

However, I'm not sure yet if it actually is done in the same manner in this re-appearance.

The easiest way to keep yourself protected, if this was the case, is by not entering any information at all until they make a patch. Since that's not going to happen, fall back on your AutoComplete bank of user names and passwords that you were too lazy to type out before. And if you don't have AutoComplete enabled, then I suggest that you not enter any data into a website that opened up in a new window or frame, or only have one site open at a time, since the script needs to exist in one spot in order to inject it into another website opened in another window, which possibly could be named and easily targeted.

I'll post more information as I come upon it.

-

Edit: The video of the exploit in action can be viewed here. Problem is that there's no sound to narrate you on what's going on... and this just looks painfully-obvious, thanks to the frequency of form-based credential input as opposed to the pop-up dialog.

And of course, still obvious if you open up a new window to log in.

When in doubt, don't log in. And also, you would have to access your trusted site from an untrusted source, wouldn't you? Otherwise, they can't load their redirection script.

And if you did fall for it, just change your password. Hopefully you didn't leave any other more confidential or sensitive information with that misstep.

-

Edit Edit: Aviv Raff's advisory. Basically showing how obvious this is and advice on avoiding it... which you already read here.

Edited January 5, 2008 by rayzoredge (see edit history)