Last Comment Bug 714543 - Cross-Site Basic Authentication for embedded resources can be used maliciously
: Cross-Site Basic Authentication for embedded resources can be used maliciously
Status: RESOLVED DUPLICATE of bug 647010
:
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: 8 Branch
: x86 Linux
: -- normal with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-01 11:51 PST by Stefano Palazzo
Modified: 2012-01-24 14:42 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Simple example implementation of the attack (Python 3.x) (1.68 KB, text/plain)
2012-01-01 11:51 PST, Stefano Palazzo
no flags Details

Description Stefano Palazzo 2012-01-01 11:51:12 PST
Created attachment 585220 [details]
Simple example implementation of the attack (Python 3.x)

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11

Steps to reproduce:

Create a web server that serves an image including an Authorization header; records all usernames and passwords, serves the image in any case.

Then embed the image in a website that allows it (a forum, webchat, wikipedia).


Actual results:

Firefox displays a popup prompting the user to enter a username and password. A user doesn't realise it's a foreign popup, enters their username/password for the site embedding the image, the attacker now knows their credentials, everything looks normal again.


Expected results:

Firefox should not display the Authorization popup if the resource doesn't have the same origin as the embedding page.
Comment 1 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-01-24 14:42:09 PST

*** This bug has been marked as a duplicate of bug 647010 ***

Note You need to log in before you can comment on or make changes to this bug.