Firefox flaw opens door to phishing attacks

 

Gallery

By Matthew Sparkes

Posted on 4 Jan 2008 at 12:01

A security vulnerability has been uncovered in the latest version of Firefox 2 that could leave users open to phishing attacks.

The flaw, which affects version 2.0.0.11 of the browser, allows the creation of a fake log-in dialog box to trick users into divulging passwords for online services.

Firefox displays an authentication dialog box whenever it receives a 401 status code from a web server - an indication that authentication has either failed or has not yet happened. In this case the browser will display a variable called a Realm value in the dialog box, which can be faked to make it seem as though it has come from a legitimate site.

"While Firefox does not display the characters in the "WWW-Authenticate" header Realm value after the last double-quotes ("), it fails to sanitize single-quotes (') and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted web site," says Aviv Raff, the researcher who discovered the flaw, on his personal blog.

Raff has posted a video of a demonstration of the flaw on YouTube, and advises that users do not provide their username or password to sites that display such a dialog box until the flaw has been patched.

Mozilla announced last month that Firefox now has 125 million users, although it is unknown how many will be affected by this security threat. Mozilla are aware of the vulnerability, and are currently investigating the matter.

We're out in Las Vegas this week bringing you the latest technology news from CES 2008, have a look at our coverage on our CES minisite.