Closed
Bug 333710
Opened 18 years ago
Closed 18 years ago
Stealing the password to the secrets repository
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 101611
People
(Reporter: hadmut, Unassigned)
Details
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060226 Debian/1.5.dfsg+1.5.0.1-3 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060226 Debian/1.5.dfsg+1.5.0.1-3 Firefox/1.5.0.1 Hi, when accessing web sites which ask for a password or require to use a client SSL certificate, firefox (mozilla, thunderbird) take passwords and SSL secret keys from their secrets repository. The repository is password protected. It's password is cached for some minutes. When accessing after cache timeout, firefox raises a window and ask for the repository's password. An attacker could fake this window and fetch the user's password: Usually the password dialog appears *on top* of the browser window. Thus, it looks as if the window was *inside* the browser window. An attacker (malicious web admin, web hijacker, man-in-the-middle, DNS poisoner) could modify a web page to display a dialog window *inside* the HTML window which looks as if the normal password dialog had appeared on top of the HTML window. Since the Browser sends it's Build Identifier/User Agent with every HTTP request, including the Operating System, Distribution, Version, the attacker could easily guess how the window decoration would look like (Windows, major Linux distributions in default configuration,...). The attacker generates a web page which looks as if a password dialog had appeared on top of it, but actually contains a HTML form. When the user enters the password, actually a web form is filled and the password is revealed. regards Hadmut Reproducible: Always
Reporter | ||
Comment 1•18 years ago
|
||
dialog with my fvwm
Reporter | ||
Comment 2•18 years ago
|
||
The dialog in gnome
Reporter | ||
Comment 3•18 years ago
|
||
I have attached two screenshots of different Linux decorations of the dialog (fvwm, gnome). Maybe easier with Windows. All the attacker needs to do is to have a web page with such a dialog embeded as graphics or through CSS. He could also have the decoration color toggled when the mouse is over the rectangle, as in a real dialog window. The user then would most probably enter the password without suspect. At least I do when the window appears. regards Hadmut
Comment 4•18 years ago
|
||
*** This bug has been marked as a duplicate of 101611 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•