Closed Bug 1389155 Opened 7 years ago Closed 7 years ago

HTTP basic authentication dialog prevents closing a tab on an adversarial website

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
55 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 613785

People

(Reporter: miikka.salminen, Unassigned)

Details

(Keywords: dupeme)

Attachments

(1 file)

A Python 3.5 script that runs a similarly hostile web server
1.03 KB, text/x-python
Details 
Basically, the issue is the same as in bug #1312243 (even the scam website looks the same), which is marked as fixed in Firefox 52. The bug, though, has now occurred to me in Firefox 55 for Windows and Firefox 54 for Linux.

I was redirected to a scam website. The scam website kept opening the HTTP basic authentication dialog regardless of whether the Cancel or OK button was pressed. While the dialog was open, I was unable to close the adversarial tab or switch to another tab; the only way to solve the issue was to kill the window containing that tab through the task manager.

I was able to recreate a similar hostile environment with a Python 3.5 script, which I've included as an attachment. The instructions are in the script's docstring.

IMO, it should be possible to kill a tab that's requesting HTTP basic authentication.
I did some additional testing:
- The X button for closing the dialog exhibits the same result: the dialog reappears and it’s impossible to kill the tab.
- Trying to kill the window with the adversary tab by right clicking on the window in the task bar and selecting ”Close window” doesn’t help either.
- Pressing Ctrl+W doesn’t help when the dialog is open, but if the user is fast enough, it can be used to close the tab after clicking the Cancel button.
- A link opened to a site asking for HTTP basic authentication get focused immediately even when Firefox is set to keep the focus on the current tab when opening links. An easy way to test this is with the script attached in the bug report, and entering the following into the URL bar: data:text/html,<a href="http://localhost:8000">Adversary link</a><br><a href="https://developer.mozilla.org">Well-behaving link</a>

As for some other browsers, Internet Explorer seems to have the same failure mode, whereas Chrome seems to let the user close that window/tab.

As a general security note, I also think the UI should, in some way, warn the user of the HTTP basic auth method. The current demanding wording/tone and the lack of preventive measures in the dialog suggest an urgency that might cause an unwary user to get phished.
Component: Tabbed Browser → Password Manager
Keywords: dupeme
Product: Firefox → Toolkit
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: