DoctorDoom
01-05-2008, 12:41 PM
Flaws in the way the latest version of Mozilla Firefox presents authentication dialog boxes leave the door open for cybercrooks to trick users into handing over login credentials, a leading security researcher warns.
The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open source browser to sanitise single quotation marks and spaces in the "realm" value of an authentication header.
"This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," Raff explained.Firefox spoofing bug raises phishing fears (http://www.theregister.co.uk/2008/01/04/firefox_spoofing_bug/)
The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open source browser to sanitise single quotation marks and spaces in the "realm" value of an authentication header.
"This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," Raff explained.Firefox spoofing bug raises phishing fears (http://www.theregister.co.uk/2008/01/04/firefox_spoofing_bug/)