The issue, which exists in the latest version of Firefox 2.0.0.11, allows an attacker to create what appears to be a dialog box from a trusted website.
Firefox fails to display characters in the “www-authenticate” header realm value after the last set of double quotes and fails to sanitize single quotes and spaces, making it possible for an attacker to create a specially crafted realm value from a well-known website, according to Raff.
An attacker can target an end-user with a specially crafted webpage with a link to a trusted website, then open the page in a new window, and eventually return the specially crafted authentication response. A fraudster can also embed an image pointing to their own server to return a basic authentication response through an email, RSS feed, forum, blog or social networking page, according to Raff.
A Mozilla representative could not be immediately reached for comment.
Firefox authentication box said to be vulnerable to spoofing for phishing attacks
By
Frank Washkuch
on Jan 8, 2008 4:07PM
The information in an authentication dialog box from Mozilla's Firefox browser can be spoofed, allowing an attacker to conduct phishing schemes, according to Israeli researcher Aviv Raff.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Promoted Content
A 360° view of the cost of data breaches in Australia and how to mitigate them
Promoted Content
Why Australia’s governments need to expand their data boundaries
Partner Content
Deadline to enter 2021 IoT Awards extended
Promoted Content
Australian data sovereignty and protection concerns increase
Sponsored Whitepapers
The ultimate guide to customer IAM
Communicating cyber security in a language the Board understands
10 questions to ask before you select a Network Performance Management tool
Innovate faster. Why accelerating change is a CIO's biggest challenge.
Unlock faster time-to-revenue using Adobe digital document processes
