Firefox spoofing flaw reported

Firefox spoofing flaw reported

Summary: A vulnerability in Firefox v2.0.0.11 has been reported that could allow man-in-the-middle attacks

TOPICS: Security

Mozilla's Firefox web browser is vulnerable to spoofing attacks, according to an Israeli security researcher.

Aviv Raff reported on his blog on Wednesday that Mozilla Firefox v2.0.0.11 allows information presented in a basic authentication dialogue box to be spoofed, opening up the possibility of users being redirected to a malicious website. Earlier versions of the browser may also be affected.

According to Raff, when a web server returns a 401 status code, it causes Firefox to display an authentication dialogue box. The 401 status code is returned by the web server when it recognises that the HTTP data stream sent by a browser or bot is correct, but access to the URL requires further user authentication.

The authentication dialogue box displays the server URL in what is called the WWW-Authenticate header field. This URL is in part defined by the realm value and, according to Raff, it is possible for an attacker to create a specially crafted realm value that will look as if the authentication dialogue came from a trusted website. This is due to Firefox failing to sanitise single quotes and spaces in the WWW-Authenticate header field, after a legitimate realm value enclosed in double quotes has been given.

Read this


Q&A: When more bugs can mean tighter security

Mozilla Europe's president Tristan Nitot explains why having fewer disclosed vulnerabilities doesn't mean Internet Explorer is safer than the open-source web browser

Read more

At least two possible attack vectors are opened by this reported flaw, according to Raff. Man-in-the-middle attackers could create a web page with a link to a trusted website such as a bank. When a victim clicks on the link on the malicious page, the trusted web page would be opened in a new window. A script would be executed to redirect the newly opened window to the attacker's web server, allowing username and password details to be compromised.

Alternatively, an attacker could embed an image in an email or web page which, when clicked on, would return a specially crafted dialogue login from the attacker's web server, again allowing authentication details to be compromised.

President of Mozilla Europe, Tristan Nitot, told that Mozilla is in the process of investigating the report, and so could not comment further at this time.

"We take security seriously," said Nitot. "We are taking this report seriously, and are investigating."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion