lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0801031115480.12557@dione.cc>
Date: Thu, 3 Jan 2008 11:48:21 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.cc>
To: avivra <avivra@...il.com>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability -
 Firefox Basic Authentication

On Thu, 3 Jan 2008, avivra wrote:

> http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Although it's amusing Firefox filters '"' in this prompt to begin with, 
rather than designing it more wisely not to render attacker-controlled 
text inline (use a table view below instead!), I'm not sure that the 
ability to use single quotes (or other homoglyphs) makes the attack 
considerably more dangerous.

Note that any person familiar with the dialog is unlikely to be confused 
by this prompt, as a clear indication of the originating site, consistent 
with the design of this dialog, is preserved ("...at 
http://avivraff.com"). As such, I would certainly not go as far as 
recommending "not to provide username and password to web sites which show 
this dialog" - that's an overkill. Just don't trust self-contradictory or 
unusually structured dialogs - you never should.

Naturally, any person *not* used to seeing this dialog might be eager to 
enter his credentials there, lulled by the tech lingo - but that's a 
general complaint about browser design that is in no way specific to 
Firefox; the same person would be likely to give out his password to:

   prompt("Please enter your password for foocorp.com (certified by Verisign)")'.

...simply because a systemic failure of browser vendors to provide 
user-friendly security signaling and UI behavior (along the lines of: "as 
far as we're concerned, any person with no understanding of SSL, HTTP, and 
DNS had it coming and should die in a fire").

Just my $.02 (and with the exchange rates today, that's not a whole lot!),
/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ