There is a potential security problem with the dialog which reqest the master password etc. [SA15489]

RESOLVED DUPLICATE of bug 101611

Status

()

Toolkit
Password Manager
--
critical
RESOLVED DUPLICATE of bug 101611
13 years ago
10 years ago

People

(Reporter: Flavio Visentin, Unassigned)

Tracking

1.7 Branch
Points:
---
Bug Flags:
blocking-aviary1.0.5 -
blocking1.8b3 -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)

Hello, today I was looking at the Secunia Security Bullettin at this address

http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

I think that using this escamotage, a user using firefox could be guided into
revealing his master password to a malicious site, since a dialog opened by a
javascript can easily be forged to be almost identical to the master password
input box. If the user isn't very careful, it's very simple to make the error.

Although it's not a security hole itself, it could be one of the first steps of
a social engineering attack. An example between 2 colleagues:

ATTACKER: please go that site that I want to make you see my photo.
LUSER: Opps I must enter the master password ... tip tap tip tap
ATTACKER: Thanks for your master password and also for your bank account and
your favourite store account etc.etc.

One possible solution could be to introduce a different background color for all
the input boxes of Firefox or anyway to make impossible to clone them.

The user must always be able to recognize a legal box from an illegal one (as
you do for example with the address bar for the https addresses).

Thanks for your good work

Reproducible: Always
Whiteboard: DUPEME
Is this a dupe of a closed bug?

Comment 2

13 years ago
See related bug 123913 comment 19.
Summary: There is a potential security problem with the dialog which reqest the master password → There is a potential security problem with the dialog which reqest the master password etc. [SA15489]
(Reporter)

Comment 3

13 years ago
I read bug 123913 comment 19. Although fixing 123913 can resolve the problem
reported by Secunia, I think that a different dialog box (for example with a red
background) is a solution also for a different kind of problem, fakes input dialogs.

Fixing only 123913 doesn't avoid a malicious site to popup a dialog equal to the
one that requests the master password, although it could not popup that window
over another page. This should anyway be made impossible to do.

Updated

13 years ago
Flags: blocking-aviary1.0.5+

Comment 4

13 years ago
beta 3 too.
Flags: blocking1.8b3+
Is this not a dupe of bug 22183?
Severity: enhancement → critical

Comment 6

13 years ago
Confirming to new, we need to come up with a solution for this and try to get it
in for 1.0.5.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It would be good to have some sort of graphic in all dialog boxes that clearly
indicates if it's a 'safe' (master password, site password) or 'unsafe'
(js-input) dialog.

Possibly something similar to the lock icon, though possibly not exactly the
same to avoid confusion.

But in general I think icons are more obvious then text saying 'application
dialog' or something similar.

Comment 8

13 years ago
I think content-originating dialogs should have a distinctive appearance, like a
colored background or border.

Comment 9

13 years ago
This will partially be fixed by 298934.  We'll have to wait for a full fix in
the next major release.
Flags: blocking1.8b3-
Flags: blocking1.8b3+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+

Comment 10

13 years ago
This is exactly what has been requested in bug 101611.

I think we are already aware of a lot of problems, we just need the resources to
work on them.

Comment 11

13 years ago
See comment 9 (bug 298934 - show host as title if dialog comes frome a site) and
comment 10.

*** This bug has been marked as a duplicate of 101611 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
(Assignee)

Updated

10 years ago
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.