[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0801031115480.12557@dione.cc>
Date: Thu, 3 Jan 2008 11:48:21 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.cc>
To: avivra <avivra@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Yet another Dialog Spoofing Vulnerability -
Firefox Basic Authentication
On Thu, 3 Jan 2008, avivra wrote:
> http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
Although it's amusing Firefox filters '"' in this prompt to begin with,
rather than designing it more wisely not to render attacker-controlled
text inline (use a table view below instead!), I'm not sure that the
ability to use single quotes (or other homoglyphs) makes the attack
considerably more dangerous.
Note that any person familiar with the dialog is unlikely to be confused
by this prompt, as a clear indication of the originating site, consistent
with the design of this dialog, is preserved ("...at
http://avivraff.com"). As such, I would certainly not go as far as
recommending "not to provide username and password to web sites which show
this dialog" - that's an overkill. Just don't trust self-contradictory or
unusually structured dialogs - you never should.
Naturally, any person *not* used to seeing this dialog might be eager to
enter his credentials there, lulled by the tech lingo - but that's a
general complaint about browser design that is in no way specific to
Firefox; the same person would be likely to give out his password to:
prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
...simply because a systemic failure of browser vendors to provide
user-friendly security signaling and UI behavior (along the lines of: "as
far as we're concerned, any person with no understanding of SSL, HTTP, and
DNS had it coming and should die in a fire").
Just my $.02 (and with the exchange rates today, that's not a whole lot!),
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists