MOUNTAIN VIEW, CA – A noted security researcher has issued a warning about a Firefox bug that could put passwords at risk.Aviv Raff, an Israeli who is best known for his work ferreting out browser security holes, said Wednesday that a log-on spoofing vulnerability could allow password thieves to trick users into revealing personal data. Although he posted the news to his blog along with a demonstration video, he did not disclose the code required for the spoof to work.
The flaw, which exists in Mozilla’s most recent Firefox release (version 2.0.0.11), involves the Realm header portion of a webpage, according to Raff. Because the flaw doesn’t sanitize single quotation marks and spaces in the Realm header, it is possible for a hacker to massage the code to make it look as if any authentication requests coming from the site come from somewhere else.
According to Raff, there are at least two potential scenarios that could exploit the flaw. In one, the spoof site could include a link to a trusted site like a bank or Web-based email service. When the user clicked on the link and entered his or her username and password in the resulting, genuine-looking dialog box, the data could be saved to the hacker’s server. In the other, a rigged image could be embedded in a blog, social-networking-site page or email message. Clicking the image could bring about the same result as in the previous example.
The video Raff included in his blog demonstrates how the flaw might be exploited using Google Checkout.
“Until Mozilla fixes this vulnerability, I recommend not to provide username and password to websites which show this dialog,” Raff wrote in his blog.
Mozilla last patched Firefox in late November. Late last week, Mozilla Chief of Security Window Snyder said the company is attempting to validate Raff’s claims.
