ID Theft Vulnerability Haunts Firefox
Israeli security researcher Aviv Raff has issued a warning for a fairly serious browser vulnerability that exposes Firefox users to identity theft attacks.
Raff, a well-respected hacker who regularly reports security problems in software products, discovered a way to use a browser bug to lure Firefox users into entering login credentials into a maliciously rigged dialog box.
The technical details:
Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the "WWW-Authenticate" header. In order to specify basic authentication, the "WWW-Authenticate" header should have the value [Basic realm="XXX"] (without the brackets). The Realm value, which in this case is XXX, will be displayed in the authentication dialog window.
While Firefox does not display the characters in the "WWW-Authenticate" header Realm value after the last double-quotes ("), it fails to sanitize single-quotes (') and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted Web site.
Raff posted a video (.wmv file) to demonstrate an attack scenario but declined to publish proof-of-concept code.
He did provide me with a private demo of the issue, which also works if a Firefox user attempts to load an RSS feed into Google Reader or iGoogle.
Raff's discovery highlights a very serious design deficiency that affects all modern Web browsers -- the use of hard-to-comprehend dialog boxes to handle trust between user and Web site.
I know Firefox is working on a better way to display trust to end users in Firefox 3, but, in this day and age, the average mom-and-pop will never understand certificate dialogs filled with techy jargon. They are the big target for these kinds of attacks.