The default bug view has changed. See this FAQ.

Cross-Site Basic Authentication for embedded resources can be used maliciously

RESOLVED DUPLICATE of bug 647010

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 647010
5 years ago
5 years ago

People

(Reporter: Stefano Palazzo, Unassigned)

Tracking

8 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 585220 [details]
Simple example implementation of the attack (Python 3.x)

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11

Steps to reproduce:

Create a web server that serves an image including an Authorization header; records all usernames and passwords, serves the image in any case.

Then embed the image in a website that allows it (a forum, webchat, wikipedia).


Actual results:

Firefox displays a popup prompting the user to enter a username and password. A user doesn't realise it's a foreign popup, enters their username/password for the site embedding the image, the attacker now knows their credentials, everything looks normal again.


Expected results:

Firefox should not display the Authorization popup if the resource doesn't have the same origin as the embedding page.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 647010
You need to log in before you can comment on or make changes to this bug.