Closed Bug 298407 Opened 19 years ago Closed 19 years ago

There is a potential security problem with the dialog which reqest the master password etc. [SA15489]

Categories

(Toolkit :: Password Manager, defect)

1.7 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 101611

People

(Reporter: THe_ZiPMaN, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050610 Firefox/1.0.4 (Debian package 1.0.4-3)

Hello, today I was looking at the Secunia Security Bullettin at this address

http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

I think that using this escamotage, a user using firefox could be guided into
revealing his master password to a malicious site, since a dialog opened by a
javascript can easily be forged to be almost identical to the master password
input box. If the user isn't very careful, it's very simple to make the error.

Although it's not a security hole itself, it could be one of the first steps of
a social engineering attack. An example between 2 colleagues:

ATTACKER: please go that site that I want to make you see my photo.
LUSER: Opps I must enter the master password ... tip tap tip tap
ATTACKER: Thanks for your master password and also for your bank account and
your favourite store account etc.etc.

One possible solution could be to introduce a different background color for all
the input boxes of Firefox or anyway to make impossible to clone them.

The user must always be able to recognize a legal box from an illegal one (as
you do for example with the address bar for the https addresses).

Thanks for your good work

Reproducible: Always
Whiteboard: DUPEME
Is this a dupe of a closed bug?
See related bug 123913 comment 19.
Summary: There is a potential security problem with the dialog which reqest the master password → There is a potential security problem with the dialog which reqest the master password etc. [SA15489]
I read bug 123913 comment 19. Although fixing 123913 can resolve the problem
reported by Secunia, I think that a different dialog box (for example with a red
background) is a solution also for a different kind of problem, fakes input dialogs.

Fixing only 123913 doesn't avoid a malicious site to popup a dialog equal to the
one that requests the master password, although it could not popup that window
over another page. This should anyway be made impossible to do.
Flags: blocking-aviary1.0.5+
beta 3 too.
Flags: blocking1.8b3+
Is this not a dupe of bug 22183?
Severity: enhancement → critical
Confirming to new, we need to come up with a solution for this and try to get it
in for 1.0.5.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It would be good to have some sort of graphic in all dialog boxes that clearly
indicates if it's a 'safe' (master password, site password) or 'unsafe'
(js-input) dialog.

Possibly something similar to the lock icon, though possibly not exactly the
same to avoid confusion.

But in general I think icons are more obvious then text saying 'application
dialog' or something similar.
I think content-originating dialogs should have a distinctive appearance, like a
colored background or border.
This will partially be fixed by 298934.  We'll have to wait for a full fix in
the next major release.
Flags: blocking1.8b3-
Flags: blocking1.8b3+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
This is exactly what has been requested in bug 101611.

I think we are already aware of a lot of problems, we just need the resources to
work on them.
See comment 9 (bug 298934 - show host as title if dialog comes frome a site) and
comment 10.

*** This bug has been marked as a duplicate of 101611 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.