URL Spoofing using http auth
Categories
(Firefox :: Address Bar, defect)
Tracking
()
People
(Reporter: pm.mahendra1, Unassigned)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Firefox for Android
Steps to reproduce:
- Open this URL - http://designs.ndev.xyz/test/new.html or open the attach html file.
- Click on the 'Click here to Open Apple.com'.
- Wait for 1 second.
Actual results:
POC videos -
Mac -https://youtu.be/FHiHgvBIE1w
Android - https://youtu.be/SbQMQt86KKw
-
The URL Has been Spoofed. The Url is https://apple.com on the address bar and auth popup is from techyfly.xyz. it means URL has been Spoofed.
-
Http authentication is not giving any warning.
-
Http authentication is so dangerous. It can spoof Username and password of a Victim. I explained in this issues https://bugzilla.mozilla.org/show_bug.cgi?id=1692268 and https://bugzilla.mozilla.org/show_bug.cgi?id=1704346
-
On android it's Showing the saved actual username and password of apple.com
Expected results:
It should give the actual Url of Http authentication
UserAgent (Mac) - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Comment 1•3 years ago
|
||
On both mac and android the HTTP Auth prompt clearly says https://techyfly.xyz is the site that's asking for the auth. We know we need to improve clarity here because cross-origin sub-resources (scripts or images, for instance) can trigger this prompt and people do get confused. This example is clever and takes advantage of the fact that we don't want to show the user a blank page while they are waiting for a navigationto a new site. We should re-think that: if we get a 401 response we could blank the old page (and update the addressbar) before displaying the prompt.
Reporter | ||
Comment 2•3 years ago
|
||
Reporter | ||
Comment 3•3 years ago
|
||
:dveditz thanks for you reply, I understand your point. but by seeing this, the prompt appear on the apple.com user can think techyfly.xyz is a part of apple. And can inster sensitive information into the prompt.
Did you notice on android device, my save password of apple.com is showing onto the prompt. I attached an screenshot. Please look into this.
Comment 4•3 years ago
|
||
I'm going to clone this into separate bugs. The Fenix password manager should NOT be suggesting passwords that don't match the source of the http auth.
Reporter | ||
Comment 5•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
I'm going to clone this into separate bugs. The Fenix password manager should NOT be suggesting passwords that don't match the source of the http auth.
Did you created the clone of this bug or do you want me to create ?
And could you add the 'sec-bounty ?' Flag into this bug.
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Is there a separate bug for the android issue?
I'm pretty sure the desktop issue (which effectively devolves to "indicate the origin requesting auth in the address bar") is a duplicate of an existing bug which is probably public, probably bug 656343 (see also all its dupes...)
Comment 7•3 years ago
|
||
Looks like the android issue got filed as bug 1709257.
(In reply to :Gijs (he/him) from comment #6)
I'm pretty sure the desktop issue (which effectively devolves to "indicate the origin requesting auth in the address bar") is a duplicate of an existing bug which is probably public, probably bug 656343 (see also all its dupes...)
... either that or bug 873810, which is more directly related to what is happening here. I'll leave the needinfo for Dan so he can make a call.
Comment 8•3 years ago
|
||
873810 seems the best match
Reporter | ||
Comment 9•3 years ago
|
||
I think I am the noob one here :/ , People has reported the same bug 8 year ago. I don't know why the bug is still open. why it not fixed yet ?
and why the bug is in public ?
Updated•3 years ago
|
Reporter | ||
Comment 10•3 years ago
|
||
:dveditz I have a request for you can you remove this bug 873810 from the public until it gets resolved.
The reason why asked you because
- The user gets confused about whether the auth popup is coming from the original site or not.
- There is no warning string or messages on the auth popup. whether the user should insert the credentials or not?
- I know the user will understand from the domain that appears on the popup. But what if the popup comes from an IP address?
Comment 11•3 years ago
|
||
That bug has been public for 8 years. There's no point in hiding it now.
Updated•1 year ago
|
Updated•1 month ago
|
Description
•