Bugtraq mailing list archives
Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication
From: avivra <avivra () gmail com>
Date: Thu, 3 Jan 2008 15:34:54 +0200
On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf () dione cc> wrote:
Note that any person familiar with the dialog is unlikely to be confused by this prompt, as a clear indication of the originating site, consistent with the design of this dialog, is preserved ("...at http://avivraff.com").
Might be, if the domain indication was more clear, and not at the end of the attacker controlled text.
As such, I would certainly not go as far as recommending "not to provide username and password to web sites which show this dialog" - that's an overkill. Just don't trust self-contradictory or unusually structured dialogs - you never should.
I think regular users would find it difficult to distinguish between a normal dialog and an unusually structured dialog.
Naturally, any person *not* used to seeing this dialog might be eager to enter his credentials there, lulled by the tech lingo - but that's a general complaint about browser design that is in no way specific to Firefox; the same person would be likely to give out his password to: prompt("Please enter your password for foocorp.com (certified by Verisign)")'. ...simply because a systemic failure of browser vendors to provide user-friendly security signaling and UI behavior (along the lines of: "as far as we're concerned, any person with no understanding of SSL, HTTP, and DNS had it coming and should die in a fire").
Actually, the prompt is not a good example, as FireFox does show the originating domain in the title, and IE7 disables prompt by default. Though, I do agree that there are people out there that will be fooled by this too. --Aviv.
Current thread:
- Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication avivra (Jan 03)
- Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication Michal Zalewski (Jan 03)
- Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication avivra (Jan 03)
- Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication Michal Zalewski (Jan 03)