back to article Firefox spoofing bug raises phishing fears

Flaws in the way the latest version of Mozilla Firefox presents authentication dialog boxes leave the door open for cybercrooks to trick users into handing over login credentials, a leading security researcher warns. The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open …

COMMENTS

This topic is closed for new posts.
  1. Colin Millar
    Go

    OR '' = ''

    Sanitising single quotations has been pre-school stuff since whenever

    How embarrasing for all the FF fanboiz who stamp their feet about IE vulns

  2. Anonymous Coward
    Anonymous Coward

    So, basically ...

    If you want to log in to a sensitive site, don't follow links from dubious sites. Hasn't that been good online advice since, er, always?

  3. Anonymous Coward
    Joke

    @colin

    Oh god Collin, what have you said....Prepare for death by boredom....

  4. Andrew
    Linux

    @Colin

    And how many vulns are in FF compared with IE? (PS not a fanboi)

  5. Anonymous Coward
    Stop

    Erm...

    Correct me if I'm wrong (there's a fair chance hence my cowardice) but the RFC indicates that the Realm value is a quoted-string; it's acceptable to use single quotes and white-space in a quoted-string (see RFC 822 - I've got hugs for you if you were born in the 80s).

    Now although you can use this to exploit user's stupidity isn't Firefox simply being compliant and following the standards?

    It's similar to using www.vvaterstones.com instead of www.waterstones.com (first has 2 vs) annoying but to solve it would require a complete change of the process.

    /Am I holding the smelly end?

  6. Colin Millar
    Thumb Up

    @Andrew

    Don't get me wrong - I'm no IE fan - the point is that this is such basic stuff for an app that is trumpeted as being so secure.

    I have to agree with AC - whatever browser you open - your best security comes from using your brain.

  7. James Dunmore
    Stop

    @Colin Millar

    At least we don't have to wait until the 2nd Tuesday in February for a patch.

    But that aside - I agree with "So, basically ... " Who in their right mind would enter their details into a popup that is sourced from a link from a different site - I say this to everyone who asks about phishing, always type the address yourself (or use your bookmarks) when going to a shopping site/banking site/email etc. - or don't click on a link from somewhere else (i.e. another site or your email!!)

  8. Geoff Webber
    IT Angle

    @AC

    Hmm - I can see your point but not sure what font you would use to perform the trick.

    vvww.xxyy.com looks completely different to

    www.xxyy.com

    I expect that changing the font halfway through typing the URL may work but I dont know of a way to do this in the address field

  9. barryred

    @Colin

    "...your best security comes from using your brain".

    Since when has the average person these attacks target ever used their brain? If they did, most of these attacks wouldn't ever work.

  10. yeah, right.

    Real issue.

    The real issue is that Firefox is not displaying the given realm-value in any sort of way that allows easy discrimination between what the site provided and what Firefox is wrapping around it.

    As for "sanitizing" the realm value, RFC 822 is quite clear, quoted-string can include spaces and quotes. RFC 2069 and RFC 2617 both state that realm-value is a quoted-string. Sanitizing the string would therefore make Firefox non-compliant with said standards.

    So Firefox seems to be correctly following the standards, but it could make things clearer about what has been provided by the website as the realm name. Which means that Mr Raff's "problem" and "solution" would seem to be more geared towards attracting press attention (successfully it seems) rather than actually fixing the real issue that Firefox isn't making a dramatic visual distinction between the provided realm-value and the rest of the authentication text.

    So no, not quite as embarrassing as Mr. Millar would have us believe.

  11. Drew Masters
    Alert

    Sanitisation???

    I think the issue is that:

    "Google Account (https://www.google.com)'' Certified by Verisign: blahblah click ''Certificate"

    is a VALID realm! ( I think...)

    Firefox SHOULDN'T sanitise this... Although FF could display things a little better to make it clear which site you're giving details to.

    But imho FF hasn't really got a security bug; more of a layout/clarity issue.

    :)

  12. Phil Endecott

    Spoof domain name still visible

    The example dialog says:

    >>> Enter username and password for "Google Account (https://www.google.com)" Certified by Verisign Inc. Get more information by clicking "Certificate" at http://avivraff.com

    The spoof (phishing) domain name, http://avivraff.com, is still visible in the message. The presentation could be improved to make it less convincing though:

    >>> The server http://avivraff.com [blurb about any SSL certificate] is asking for a user name and password for "Google Account [blah blah ]".

    But how often does a site use HTTP AUTH, rather than using a login form of its own and cookies? Basically never. A user who is used to a login form on the page is less likely to be taken in by this dialog.

  13. Walter Brown
    Happy

    Firefox itself...

    FF isnt any safer than IE, in its basic form... plain and simple, but with the use of add-ons such as No-Script and Ad-Block Plus, its much safer...

    And yes, i am a... wait no, let me state this correctly, i'm not a FF fanboi, i'm an IE hater...

  14. Anonymous Coward
    Flame

    and here come the IE zealots...

    ...screaming like good little corporate shills: "See! FF is teh sux0r!" But expect to see an update by the end of next week to fix it. Unlike IE that, if ever, lets critical exploits fester for a year or until the "next version" comes out.

  15. Anonymous Coward
    Stop

    isn't it about time we stopped coddling these idiots

    If you're stupid enough to enter your bank/email details into a popup on facebook, then you deserve to have your account cleaned out. It was forgiveable when these sorts of attacks were shiny and new but now everyone should be aware of them.

    having a couple of grand transferred out of your account would be a lesson you wouldn't soon forget.

  16. steogede
    Black Helicopters

    Re: erm...

    >> It's similar to using www.vvaterstones.com instead of www.waterstones.com (first

    >> has 2 vs) annoying but to solve it would require a complete change of the

    >> process.

    I see what you mean, it is a bit like being fooled into thinking w\/\/Ш.7#er3$t3®.(0.√k is www.theregister.co.uk (some characters have been subtly altered - see if you can figure out which ones, if you have a few hours to spare).

  17. Jeff Deacon
    Flame

    Why panic?

    Lets just go back to HTML 3, no active scripting, whether Java or ActiveX, and certainly no Flash (wasn't that a heavy duty detergent for cleaning the kitchen floors?). In fact just plain words and pictures.

    No, I am being serious. I am absolutely pissed off with Web2.0 designers finding ever more inventive ways of making me insecure. In fact, I am thinking of upgrading from Firefox to OffByOne as my principal browser. And if your web site doesn't work? Well tough, there are plenty that do.

    No coat to take.

  18. Anonymous Coward
    Gates Halo

    Firefog b0rked again?

    Another week, another hole. They're becoming almost as common as teenage shootings and stabbings in London. Almost.

  19. Morely Dotes
    Flame

    So the issue is...

    That people are too stupid to read what's displayed on the screen.

    Somehow, I tend to doubt that this particular problem could be laid at the feet of the FF dev team; nor even the IE dev team (although that lot seem to have gotten their degrees entirely in Marketing, and picked up coding as a hobby...).

  20. Anonymous Coward
    Stop

    @Firefog b0rked again?

    Nice trolling.

    Actually, it's working fine, unless you're fuckwitted enough to fall for something like this...

  21. Alan Donaly

    Since I never see this

    Dialog except when trying to get into my own websites semi private areas I am going to ignore this. I also have other ways to spot phishing

    sites silly Netcraft toolbar still works best for me.

  22. Ken Hagan Gold badge

    www.vvaterstones.com instead of www.waterstones.com

    Try it in Arial. It's still distinguishable, but pretty close. (Now tell me that no-one is using Arial as the sans-serif font in their browser.)

  23. Anonymous Coward
    Coat

    Dear me...

    ...is it wrong that I kept reading 'vvaterstones.com' to myself in a thick German accent?

This topic is closed for new posts.