| Firefox authentication spoofing vulnerability |
|
| by Stephen Withers | |
| Monday, 07 January 2008 | |
      
The problem is that is is possible to craft a WWW-Authenticate header in such a way that Firefox will display an authentication dialog that at first glance resembles that of the real site. Aviv Raff, who brought the problem to light, says possible exploits include links to "trusted website" such as banks, PayPal or webmail services, coupled with scripting to redirect the newly opened window to the attacker's server. Other browsers, such as Internet Explorer and Opera display the data in a format that makes it more obvious that the information came from a site other than the one from which it purports to originate. "Until Mozilla fixes this vulnerability, I recommend not to provide username and password to web sites which show this dialog," says Raff. According to the Mozilla Security Blog, "Mozilla is currently investigating this issue and has assigned it an initial security severity rating of low." |
Tags
| < Next story in category | Previous story in the category > |
|---|
