Closed
Bug 298407
Opened 19 years ago
Closed 19 years ago
There is a potential security problem with the dialog which reqest the master password etc. [SA15489]
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 101611
People
(Reporter: THe_ZiPMaN, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3) Hello, today I was looking at the Secunia Security Bullettin at this address http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ I think that using this escamotage, a user using firefox could be guided into revealing his master password to a malicious site, since a dialog opened by a javascript can easily be forged to be almost identical to the master password input box. If the user isn't very careful, it's very simple to make the error. Although it's not a security hole itself, it could be one of the first steps of a social engineering attack. An example between 2 colleagues: ATTACKER: please go that site that I want to make you see my photo. LUSER: Opps I must enter the master password ... tip tap tip tap ATTACKER: Thanks for your master password and also for your bank account and your favourite store account etc.etc. One possible solution could be to introduce a different background color for all the input boxes of Firefox or anyway to make impossible to clone them. The user must always be able to recognize a legal box from an illegal one (as you do for example with the address bar for the https addresses). Thanks for your good work Reproducible: Always
Updated•19 years ago
|
Whiteboard: DUPEME
Comment 1•19 years ago
|
||
Is this a dupe of a closed bug?
See related bug 123913 comment 19.
Summary: There is a potential security problem with the dialog which reqest the master password → There is a potential security problem with the dialog which reqest the master password etc. [SA15489]
Reporter | ||
Comment 3•19 years ago
|
||
I read bug 123913 comment 19. Although fixing 123913 can resolve the problem reported by Secunia, I think that a different dialog box (for example with a red background) is a solution also for a different kind of problem, fakes input dialogs. Fixing only 123913 doesn't avoid a malicious site to popup a dialog equal to the one that requests the master password, although it could not popup that window over another page. This should anyway be made impossible to do.
Updated•19 years ago
|
Flags: blocking-aviary1.0.5+
Comment 6•19 years ago
|
||
Confirming to new, we need to come up with a solution for this and try to get it in for 1.0.5.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It would be good to have some sort of graphic in all dialog boxes that clearly indicates if it's a 'safe' (master password, site password) or 'unsafe' (js-input) dialog. Possibly something similar to the lock icon, though possibly not exactly the same to avoid confusion. But in general I think icons are more obvious then text saying 'application dialog' or something similar.
Comment 8•19 years ago
|
||
I think content-originating dialogs should have a distinctive appearance, like a colored background or border.
Comment 9•19 years ago
|
||
This will partially be fixed by 298934. We'll have to wait for a full fix in the next major release.
Flags: blocking1.8b3-
Flags: blocking1.8b3+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
Comment 10•19 years ago
|
||
This is exactly what has been requested in bug 101611. I think we are already aware of a lot of problems, we just need the resources to work on them.
Comment 11•19 years ago
|
||
See comment 9 (bug 298934 - show host as title if dialog comes frome a site) and comment 10. *** This bug has been marked as a duplicate of 101611 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Whiteboard: DUPEME
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•