[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8beca820801030534h722d7d51sf749cf24ebc1b50a@mail.gmail.com>
Date: Thu, 3 Jan 2008 15:34:54 +0200
From: avivra <avivra@...il.com>
To: "Michal Zalewski" <lcamtuf@...ne.cc>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication
On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf@...ne.cc> wrote:
> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com").
Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.
> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.
I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.
> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
> prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").
>
Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.
--Aviv.
Powered by blists - more mailing lists