ID Theft Vulnerability Haunts Firefoxfirefox_security_vulnerability.png Israeli security researcher Aviv Raff has issued a warning for a fairly serious browser vulnerability that exposes Firefox users to identity theft attacks.Raff, a well-respected hacker who regularly reports security problems in software products, discovered a way to use a browser bug to lure Firefox users into entering login credentials into a maliciously rigged dialog box.The technical details: Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the "WWW-Authenticate" header. In order to specify basic authentication, the "WWW-Authenticate" header should have the value [Basic realm="XXX"] (without the brackets). The Realm value, which in this case is XXX, will be displayed in the authentication dialog window. While Firefox does not display the characters in the "WWW-Authenticate" header Realm value after the last double-quotes ("), it fails to sanitize single-quotes (') and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted Web site.Raff posted a (.wmv file) to demonstrate an attack scenario but declined to publish proof-of-concept code.He did provide me with a private demo of the issue, which also works if a Firefox user attempts to load an RSS feed into Google Reader or iGoogle.Raff's discovery highlights a very serious design deficiency that affects all modern Web browsers -- the use of hard-to-comprehend dialog boxes to handle trust between user and Web site.I know Firefox is working on a better way to display trust to end users in Firefox 3, but, in this day and age, the average mom-and-pop will never understand certificate dialogs filled with techy jargon. They are the big target for these kinds of attacks.
well a program call SiteAdvisor can help in that regard. I usually install it on my customers' PCswww.siteadvisor.com
