Israeli security researchers discovered a flaw that allows information of basic authentication to be spoofed in v2.0.0.11 of Mozilla Firefox and say that earlier versions may also be affected.
Security researcher Aviv Raff says that, when a server returns a 401 status code, Firefox displays an authentication dialogue box. The 401 code is returned when the server recognizes that the HTTP data stream sent by a browser is correct, but the access requires further authentication.
Security researcher Aviv Raff says that, when a server returns a 401 status code, Firefox displays an authentication dialogue box. The 401 code is returned when the server recognizes that the HTTP data stream sent by a browser is correct, but the access requires further authentication.
Raff says it is possible for an attacker to create a bogus frame that would look exactly as if authentication dialog came from a trusted website. This is possible because Firefox fails to separate single spaces and quotes in www-authenticate header field after a legitimate realm value enclosed in double quotes has been given.
This gives attackers two possible options: one is to create a web page with a link to a trusted site such as a bank, and the other is to embed an image in an e-mail or web page, which then would return a specially crafted dialogue login when clicked on. Both methods allows username and password details to be compromised. Mozilla Europe refrains from any comments while investigating the matter.
Comment on Firefox spoofing flaw discovered