Researcher: Firefox vulnerable to ID spoofing

Researcher: Firefox vulnerable to ID spoofing

Summary: Firefox 2.0 has a vulnerability that can leave its users susceptible to an identity theft attack, according to Aviv Raff, a security researcher based in Israel.

TOPICS: Browser, Security

Firefox 2.0 has a vulnerability that can leave its users susceptible to an identity theft attack, according to Aviv Raff, a security researcher based in Israel.

Raff outlined a bug in Firefox that allows spoofing and enables an attacker "to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website." The versions affected include Firefox v2.0.0.11 and prior versions. Ryan Naraine got a private demo of Raff's work and noted that this attack is easy to fall for.

Gallery: How to secure Firefox.

Raff in his post outlines two possible attacks:

   1.  An attacker creates a web page with a link to a trusted website (e.g. Bank, PayPal, Webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response.

2. An attacker embeds an image (pointing to the attacker's web server, which will return the specially crafted basic authentication response) to:

  • A mail which will be sent to a webmail user.
  • RSS feed which will be consumed by a web RSS reader.
  • A forum/blog/social network page.

As for the workaround, Raff suggests avoiding sites that require password authentication and give you a dialog that looks like this. Mozilla last issued a security patch for Firefox Nov. 27.


Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well there are tell tale signs this is a fake...

    1) does not use Verisign.
    2) Get more details about the certificate @ none google site
    3) does not require a userid and password.
    • Either way, some will be fooled

      This certificate nonsense is too complicated for the average user and some will probably fall for it.

      That said, this isnt a big issue either and I wouldnt worry about running Firefox.
  • Microsoft Forcing Silverlight Upon Users

    Bye bye Microsoft...I won't visit your page anymore.
    • And this has to do with a FireFox vulnerability how?

      Outside of an attempt to mindlessly bash MS, how does this have anything at all to do with a flaw in FF?
      • Nothing...Just Pointing Out ZDNet Avoids Good Stories

        And posts stupid stories like "Oh look! I can build a Mac PC!!"
        • So a security risk

          is a 'nothing' story, but the fact that MS will use their own technology to host their own web site at some future point (possibly) is important?

          And having as powerful a machine at a great savings is stupid?

          Hey you, off my planet!
          • Don't see this as a security risk

            Seeing as the patch was released on November 27 of 2007. that's like over a month ago.
          • Or you could even say last year :)

          • Funny how that excuse

            works for non-MS products only...
          • As much as I like FF, it is a security risk.

            The article specifically states that is vulnerable. That also happens to be the latest update unless you're trying out FF3.

            The last security update was 27Nov2007. There is no current patch for this particular exploit.
          • The arrogance!!

            Who says it is your planet? Just cuz you happen to be on it. That's right! Go find your own planet, if that's what ur after!
        • This isnt a good story, Ou's is more interesting

          If you actually bothered to read the story it said, Microsoft would be making an alternative interface to HTML available--nothing is being forced.

          The talkbacks for the article mentions that this was announced a month ago so this is not a "new" story either.
        • Re: "Nothing...Just Pointing Out ZDNet Avoids Good Stories"

          So why do you even subscribe to ZDNet if you have so many issues with them?

          Why don't you just unsubscribe & try Nickelodeon ( It's better suited to the amount of grey matter between your ears.
      • It is called "misdirection"

        He does that when he finds out that something he endorses turns out to leave egg on his face... :)
        • Shut Up, Fool

          • Zune was PCMagazine's Editor's choice

            not the iPod. Interesting.
          • Unfortunately the Zune software still sucks

            Otherwise I would definitely get one and dump my oldie JobsPod
  • So you have to go to a bogus...

    web site and click on a bogus link. If you fall for this then there is no hope.
  • I dunno about you, but . . .

    I dunno about you, but I've never had a secure website create a pop up like that (the form is always part of the page).

    Also, IE can be made to pop up a dialog box as well - meaning that this isn't a Firefox only problem, it's something that can be done with any browser.

    I'm not sure why the author of this article chose to single out Firefox.
    • I've Never Experienced It Either

      I use both browsers about equally, and have never experienced such a pop up. When accessing a site, it already contains the "login" feature or you click on login and then are taken to the next page.

      At any rate, it is depressing. I can remember the days when surfing was pretty much just plain fun and the hackers had not yet taken over control of the Web. What a sad revelation on the darker aspects of human nature.