Firefox authentication box said to be vulnerable to spoofing for phishing attacks

By

The information in an authentication dialog box from Mozilla's Firefox browser can be spoofed, allowing an attacker to conduct phishing schemes, according to Israeli researcher Aviv Raff.

Firefox authentication box said to be vulnerable to spoofing for phishing attacks
The issue, which exists in the latest version of Firefox 2.0.0.11, allows an attacker to create what appears to be a dialog box from a trusted website.

Firefox fails to display characters in the “www-authenticate” header realm value after the last set of double quotes and fails to sanitize single quotes and spaces, making it possible for an attacker to create a specially crafted realm value from a well-known website, according to Raff.

An attacker can target an end-user with a specially crafted webpage with a link to a trusted website, then open the page in a new window, and eventually return the specially crafted authentication response. A fraudster can also embed an image pointing to their own server to return a basic authentication response through an email, RSS feed, forum, blog or social networking page, according to Raff.

A Mozilla representative could not be immediately reached for comment.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
attacksauthenticationbeboxfirefoxforphishingsaidsecurityspoofingtovulnerable

Sponsored Whitepapers

Gaining a Competitive Advantage with Communication APIs
Gaining a Competitive Advantage with Communication APIs
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Service Over Signatures: The Truth About No Lock-In IT
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks

Events

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments
Qantas obtains court order to prevent third-party access to stolen data

Qantas obtains court order to prevent third-party access to stolen data
Cloudflare makes changes to avoid repeat of 1.1.1.1 DNS outage

Cloudflare makes changes to avoid repeat of 1.1.1.1 DNS outage
Researchers demo AI-crippling GPUHammer attack

Researchers demo AI-crippling GPUHammer attack
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?