Closed Bug 1105944 Opened 10 years ago Closed 10 years ago

Auth Pishing Attack for embedded images

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
35 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 647010

People

(Reporter: djbrainnrg, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20141127004008 Steps to reproduce: A images is displayed on a page, that ask for basic authentication. Here a full article with use case: http://bfldev.com/auth-pishing Actual results: Maybe a user enter the credentials for the page the he is currently on. Expected results: Never ask for auth windows in embedded images or other embedded stuff.
Not entirely sure where this goes, or how to request a security rating. Couldn't find any dupes, although maybe I missed them... dveditz/bz, can you help? (naively speaking, I guess it makes sense not to even bother with auth prompts for image loads, although I'm sure that that'll break the web in some places...) Regarding the phishing side: you'd need to be able to convince goodsite.com to display an image from evilsite.com, so it doesn't seem to be super severe as issues go. Note also that we display the domain of the image, and so strictly speaking, it should be clear to the user who's requesting auth - but then again, we all know how well users read dialogs like this...
Flags: needinfo?(dveditz)
Flags: needinfo?(bzbarsky)
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → DUPLICATE
Flags: needinfo?(dveditz)
Moving from Core::Untriaged to Core::General https://bugzilla.mozilla.org/show_bug.cgi?id=1407598
Component: Untriaged → General
You need to log in before you can comment on or make changes to this bug.