Closed
Bug 559556
Opened 15 years ago
Closed 13 years ago
Add warning to HTTP Basic auth prompt to increase fishing attack protection
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 647010
People
(Reporter: oxdef, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9
There is kind of fishing attack when malicious man post to some web page picture with src pointed to malicious script with HTTP Basic Authentication. So when victim try to browse such page he see prompt like that
.============================================.
| Authenticate Required |
|============================================|
| A username and password are being |
| requested by http://... |
| The site says: "..." |
| |
| Username: [________________________] |
| Password: [________________________] |
| |
| [ Cancel ] [ OK ] |
'--------------------------------------------'
And victim thinks (even when he see "requested by http://..") that this promt is for legal site and send his auth data.
Problem is that message "requested by http://.." is not noticeable. It will be great if in case when current site domain and domain in URL of such image with basic auth differs Firefox will show more noticeable message like: "Achtung! You are trying to send auth data to 3rd party web site!"
Reproducible: Always
Steps to Reproduce:
1. try to open some URL with HTTP basic auth
Comment 1•13 years ago
|
||
Thanks for the report, sorry it took us so long to notice :/ Duping forward since the new bug has some additional info.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•