Vulnerabilities discovered in Mozilla's Firefox browser last week could be exploited to steal usernames and passwords.
Israeli security researcher Aviv Raff reported on his blog last week that Mozilla Firefox v2.0.0.11 allows information presented in a basic authentication dialogue box to be spoofed, opening up the possibility of users being redirected to a malicious Web site. Earlier versions of the browser may also be affected.
According to Raff, when a Web server returns a 401 status code, it causes Firefox to display an authentication dialogue box. The 401 status code is returned by the Web server when it recognises that the HTTP data stream sent by a browser or bot is correct, but access to the URL requires further user authentication.
The authentication dialogue box displays the server URL in what is called the WWW-Authenticate header field. This URL is in part defined by the realm value and, according to Raff, it is possible for an attacker to create a specially crafted realm value that will look as if the authentication dialogue came from a trusted Web site. This is due to Firefox failing to sanitise single quotes and spaces in the WWW-Authenticate header field, after a legitimate realm value enclosed in double quotes has been given.
At least two possible attack vectors are opened by this reported flaw, according to Raff. Man-in-the-middle attackers could create a Web page with a link to a trusted site such as a bank. When a victim clicks on the link on the malicious page, the trusted Web page would be opened in a new window. A script would be executed to redirect the newly opened window to the attacker's Web server, allowing username and password details to be compromised.
Alternatively, an attacker could embed an image in an e-mail or Web page which, when clicked on, would return a specially crafted dialogue login from the attacker's Web server, again allowing authentication details to be compromised.
President of Mozilla Europe, Tristan Nitot, told ZDNet Australia sister site ZDNet.co.uk that Mozilla is in the process of investigating the report, and so could not comment further at this time.
"We take security seriously," said Nitot. "We are taking this report seriously, and are investigating."
