MUST READ: Congress demands answers from Google over Glass privacy concerns

Topic: Browser

Researcher: Firefox vulnerable to ID spoofing

Summary: Firefox 2.0 has a vulnerability that can leave its users susceptible to an identity theft attack, according to Aviv Raff, a security researcher based in Israel.

Larry Dignan

By for Zero Day |

Firefox 2.0 has a vulnerability that can leave its users susceptible to an identity theft attack, according to Aviv Raff, a security researcher based in Israel.

Raff outlined a bug in Firefox that allows spoofing and enables an attacker "to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website." The versions affected include Firefox v2.0.0.11 and prior versions. Ryan Naraine got a private demo of Raff's work and noted that this attack is easy to fall for.

Gallery: How to secure Firefox.

Raff in his post outlines two possible attacks:

   1.  An attacker creates a web page with a link to a trusted website (e.g. Bank, PayPal, Webmail, etc.). When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response.

2. An attacker embeds an image (pointing to the attacker's web server, which will return the specially crafted basic authentication response) to:

  • A mail which will be sent to a webmail user.
  • RSS feed which will be consumed by a web RSS reader.
  • A forum/blog/social network page.

As for the workaround, Raff suggests avoiding sites that require password authentication and give you a dialog that looks like this. Mozilla last issued a security patch for Firefox Nov. 27.

authentication.png

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion

  • Well there are tell tale signs this is a fake...

    1) google.com does not use Verisign.
    2) Get more details about the certificate @ none google site
    3) google.com does not require a userid and password.
    mrOSX
    Reply Vote

    • Either way, some will be fooled

      This certificate nonsense is too complicated for the average user and some will probably fall for it.

      That said, this isnt a big issue either and I wouldnt worry about running Firefox.
      otaddy
      Reply Vote

  • Microsoft Forcing Silverlight Upon Users

    http://neosmart.net/blog/2008/redesigned-microsoft-website-to-use-silverlight/

    Bye bye Microsoft...I won't visit your page anymore.
    itanalyst
    Reply Vote

    • And this has to do with a FireFox vulnerability how?

      Outside of an attempt to mindlessly bash MS, how does this have anything at all to do with a flaw in FF?
      mdemuth
      Reply Vote

      • Nothing...Just Pointing Out ZDNet Avoids Good Stories

        And posts stupid stories like "Oh look! I can build a Mac PC!!"
        itanalyst
        Reply Vote

        • So a security risk

          is a 'nothing' story, but the fact that MS will use their own technology to host their own web site at some future point (possibly) is important?

          And having as powerful a machine at a great savings is stupid?

          Hey you, off my planet!
          mdemuth
          Reply Vote

          • Don't see this as a security risk

            Seeing as the patch was released on November 27 of 2007. that's like over a month ago.
            voska1
            Reply Vote

          • Or you could even say last year :)

            NT
            mrOSX
            Reply Vote

          • Funny how that excuse

            works for non-MS products only...
            mdemuth
            Reply Vote

          • As much as I like FF, it is a security risk.

            The article specifically states that 2.0.0.11 is vulnerable. That also happens to be the latest update unless you're trying out FF3.

            The last security update was 27Nov2007. There is no current patch for this particular exploit.
            Letophoro
            Reply Vote

          • The arrogance!!

            Who says it is your planet? Just cuz you happen to be on it. That's right! Go find your own planet, if that's what ur after!
            techboy_z
            Reply Vote

        • This isnt a good story, Ou's is more interesting

          If you actually bothered to read the story it said, Microsoft would be making an alternative interface to HTML available--nothing is being forced.

          The talkbacks for the article mentions that this was announced a month ago so this is not a "new" story either.
          otaddy
          Reply Vote

        • Re: "Nothing...Just Pointing Out ZDNet Avoids Good Stories"

          So why do you even subscribe to ZDNet if you have so many issues with them?

          Why don't you just unsubscribe & try Nickelodeon (http://www.nick.com)? It's better suited to the amount of grey matter between your ears.
          IT_Guy_z
          Reply Vote

      • It is called "misdirection"

        He does that when he finds out that something he endorses turns out to leave egg on his face... :)
        GuidingLight
        Reply Vote

        • Shut Up, Fool

          ...
          itanalyst
          Reply Vote

          • Zune was PCMagazine's Editor's choice

            not the iPod. Interesting.
            GuidingLight
            Reply Vote

          • Unfortunately the Zune software still sucks

            Otherwise I would definitely get one and dump my oldie JobsPod
            tikigawd
            Reply Vote

  • So you have to go to a bogus...

    web site and click on a bogus link. If you fall for this then there is no hope.
    bjbrock
    Reply Vote

  • I dunno about you, but . . .

    I dunno about you, but I've never had a secure website create a pop up like that (the form is always part of the page).

    Also, IE can be made to pop up a dialog box as well - meaning that this isn't a Firefox only problem, it's something that can be done with any browser.

    I'm not sure why the author of this article chose to single out Firefox.
    CobraA1
    Reply Vote

    • I've Never Experienced It Either

      I use both browsers about equally, and have never experienced such a pop up. When accessing a site, it already contains the "login" feature or you click on login and then are taken to the next page.

      At any rate, it is depressing. I can remember the days when surfing was pretty much just plain fun and the hackers had not yet taken over control of the Web. What a sad revelation on the darker aspects of human nature.
      EBathory
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close