1343456 - HTTP Basic Auth origin spoofing

Status: RESOLVED DUPLICATE of bug 656343

(Firefox :: Untriaged, defect)

Description

[Dhiraj Mishra]

Attachment: POC.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170228030203

Steps to reproduce:

Product Affected :
Name :	Firefox
Version :	54.0a1
Build ID :	20170228030203 	
Update Channel :	nightly
User Agent :	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Multiprocess Windows :	2/2 (Enabled by default)

Steps to Reproduce :

1. Visit http://hackies.in/auth.html
2. Click Me
3. .....



Actual results:

We show http prompt before updating the address bar, however the address bar seems trustworthy.
Attaching the poc for reference, I believe the impact of this may be high.



Expected results:

Address Bar should be updated before showing the http prompt. 
I have searched my best for the similar issues in Bugzilla if still we have so, sorry for the inconvenience.

Comment 1

[:Gijs (he/him)]

This is effectively the same as bug 656343. In any case, the domain for the auth request is explicitly listed in the dialog, so I'm not sure this is a serious spoofing factor at this point. Dan?

Comment 2

[Daniel Veditz [:dveditz] out until Nov 10]

The name _is_ in the http prompt, but it's not highlighted very well and easy to gloss over. There's a reasonable spoof here if people are going fast. Thankfully http auth is really unusual on the web and we can hope that will stop people from doing stupid things.