Closed Bug 705501 Opened 13 years ago Closed 13 years ago

Security hole: Defect in handling of password-protected embedded resources allows phishing.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 647010

People

(Reporter: nielsen.sebastian, Unassigned)

Details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Steps to reproduce:

First I made a secure resource in my server, protected with "HTTP basic authorization". It doesn't matter which type of resource I did use.

Then I embedded it into a unprotected page on a another domain, another IP.
Then I visited the unprotected page, now containing the password-protected picture.


Actual results:

The password box popped up as usual.

This would allow a phishing security hole, where FRAUDSTER posts a image, like "http://fraudster.baddomain.com/secured/image.jpg", on a forum, lets say "http://www.largeforum.com".

The server is configured to display the Realm "Please reauthenticate by entering your www.largeforum.com credentials again".

The server is also configured to accept any username/password and allow the resource to be viewed.

More advanced attacks can attempt a login at the forum with the credentials user tried, through a proxy thus twarthing users that "check if the login is genuine by entering invalid details, then correct details".

The FRAUDSTER then log the details.


Expected results:

The password box should not appear AT ALL!

If the parent domain (the domain visible in the adress bar, protocol - host - port triplet), and the protected domain (protocol - host - port triplet) does not match, and the browser does not have any stored details for the protected domain, no authentication attempt should occur.

Example:

protected image http://badboyz.com/picture.jpg posted on unprotected http://forum.com: Do not show authentication dialog, instead silently fail authentication.

protected image http://badboyz.com/picture.jpg posted on unprotected http://badboyz.com: Show authentication dialog as usual.

protected image http://badboyz.com/picture.jpg posted on protected http://forum.com: Show authentication dialog for http://forum.com . Silently fail authentication for http://badboyz.com

protected image http://badboyz.com/picture.jpg posted on protected http://badboyz.com: Show authentication dialog as usual. Use same credentials for both resources. If they have different realms, allow both dialogs to be shown.
----
Note: If the browser have stored auth credentials, either for the session, or permanently, for a specific domain, try these before silently failing authentication.

In the above examples: If the browser have credentials accessible for badboyz.com, attempt authentication with those, this does not risk leaking the forum.com credentials or allow badboyz.com phishing forum.com credentials from the end user.
----

NOTE: The current implementation with showing the domain you are authenticating against, is not sufficient. Users will not look after this, especially if the domain is similiar. Note that most forums allow images to be posted, and this can steal credentials for anything.
Note that even if no forums are using HTTP Basic for authentication, users can be tricked anyways when that dialog popup because they will still think its the forum asking for re-auth.

Theses NO reason somebody would want to embed a password-protected resource from a third-party domain, into the site.
Thank you for the report.  We actually have this bug on file already: bug 647010.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.