Re: Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

[avivra <avivra () gmail com>]

On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf () dione cc> wrote:

> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com";).

Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.

> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.

I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.

> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
>   prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").

Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.

--Aviv.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/