Closed Bug 559556 Opened 15 years ago Closed 13 years ago

Add warning to HTTP Basic auth prompt to increase fishing attack protection

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 647010

People

(Reporter: oxdef, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9 There is kind of fishing attack when malicious man post to some web page picture with src pointed to malicious script with HTTP Basic Authentication. So when victim try to browse such page he see prompt like that .============================================. | Authenticate Required | |============================================| | A username and password are being | | requested by http://... | | The site says: "..." | | | | Username: [________________________] | | Password: [________________________] | | | | [ Cancel ] [ OK ] | '--------------------------------------------' And victim thinks (even when he see "requested by http://..") that this promt is for legal site and send his auth data. Problem is that message "requested by http://.." is not noticeable. It will be great if in case when current site domain and domain in URL of such image with basic auth differs Firefox will show more noticeable message like: "Achtung! You are trying to send auth data to 3rd party web site!" Reproducible: Always Steps to Reproduce: 1. try to open some URL with HTTP basic auth
Thanks for the report, sorry it took us so long to notice :/ Duping forward since the new bug has some additional info.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.