Closed Bug 714543 Opened 13 years ago Closed 13 years ago

Cross-Site Basic Authentication for embedded resources can be used maliciously

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 647010

People

(Reporter: stefano-palazzo, Unassigned)

Details

Attachments

(1 file)

Simple example implementation of the attack (Python 3.x)
1.68 KB, text/plain
Details
User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11 Steps to reproduce: Create a web server that serves an image including an Authorization header; records all usernames and passwords, serves the image in any case. Then embed the image in a website that allows it (a forum, webchat, wikipedia). Actual results: Firefox displays a popup prompting the user to enter a username and password. A user doesn't realise it's a foreign popup, enters their username/password for the site embedding the image, the attacker now knows their credentials, everything looks normal again. Expected results: Firefox should not display the Authorization popup if the resource doesn't have the same origin as the embedding page.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: