Closed Bug 333710 Opened 18 years ago Closed 18 years ago

Stealing the password to the secrets repository

Categories

(Firefox :: General, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 101611

People

(Reporter: hadmut, Unassigned)

Details

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060226 Debian/1.5.dfsg+1.5.0.1-3 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060226 Debian/1.5.dfsg+1.5.0.1-3 Firefox/1.5.0.1

Hi,

when accessing web sites which ask for a password or require to use a client SSL certificate, firefox (mozilla, thunderbird) take passwords and SSL secret keys from their secrets repository. 

The repository is password protected. It's password is cached for some minutes. When accessing after cache timeout, firefox raises a window and ask for the repository's password. 

An attacker could fake this window and fetch the user's password:

Usually the password dialog appears *on top* of the browser window. Thus, it looks as if the window was *inside* the browser window. 

An attacker (malicious web admin, web hijacker, man-in-the-middle, DNS poisoner) could modify a web page to display a dialog window *inside* the HTML window which looks as if the normal password dialog had appeared on top of the HTML window. Since the Browser sends it's Build Identifier/User Agent with every HTTP request, including the Operating System, Distribution, Version, the attacker could easily guess how the window decoration would look like (Windows, major Linux distributions in default configuration,...).

The attacker generates a web page which looks as if a password dialog had appeared on top of it, but actually contains a HTML form. When the user enters the password, actually a web form is filled and the password is revealed. 

regards
Hadmut




Reproducible: Always
Attached image Example dialog
dialog with my fvwm
Attached image gnome dialog
The dialog in gnome
I have attached two screenshots of different Linux decorations of the dialog (fvwm, gnome). Maybe easier with Windows.

All the attacker needs to do is to have a web page with such a dialog embeded as graphics or through CSS. He could also have the decoration color toggled when the mouse is over the rectangle, as in a real dialog window. The user then would most probably enter the password without suspect. At least I do when the window appears. 

regards
Hadmut


*** This bug has been marked as a duplicate of 101611 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: