Closed Bug 91750 Opened 24 years ago Closed 24 years ago

Master password dialog easily spoofable

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 64676

People

(Reporter: greenrd, Assigned: security-bugs)

References

(
URL
)

Details

Attachments

(1 file)

Spot the difference
10.07 KB, image/png
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2+) Gecko/20010720 BuildID: 2001072008 The master password dialog box for the password manager is too easy to spoof. An attacker could popup a "close enough" approximation to the master password dialog, as (arguably) in URL above, and thus gain a user's master password. This could possibly allow them to enter a variety of that user's accounts, perform identity fraud, read and modify confidential information, etc. - if they had login access to the user's machine. Or, more likely, it is quite possible that the user is using the same password for their "master password" as some other password, e.g. login password, root password, etc. I was, because it's convenient and I didn't realise the risk. The master password is never transmitted accross the network, so I'm safe, right? I haven't done a complete spoof - still needs a transparent gif with an onclick handler to post the password to the attacker, and some cleaning up. Suggestions: 1. Require a priviledged key combination (which cannot be trapped by javascript) before entering the master password. Something that can be done one-handed and is easy to remember and configurable. The privileged key combination automatically pops up a big red warning modal dialog if you are not actually in the real master password dialog. I think this is the best solution. This is similar to the method used by WinNT and Win2000 to deter login dialog spoofing - ctrl+alt+del, which cannot be trapped by userspace apps (right?), is required to log on. 2. Alternatively, add a compulsory, easily noticeable "Javascript popup window" footer to all non-privileged popups. Similar to the "Java applet window" footer on Java applet windows. Also, add a prominent notice to the password dialog saying something like, "WARNING: If you see "Javascript popup window" below, this is a FAKE!" Disadvantage: The window could conceivably be positioned at the bottom of the screen, so as to hide the telltale sign. Many users would simply assume a mozilla glitch, and type their passwords in anyway. 3. Alternatively, put a special string like "!! SECURE" in the master password dialog title, or even a special colourful icon or symbol, and do not allow any other any popups to have this in their title. Add a prominent notice to the password dialog saying something like, "WARNING: If you do not see "!! SECURE" in the title above, this is a FAKE!" 4. Additionally, users should be advised NOT to use the same password for their master password as any other password, so if their master password is stolen, there may be less or no damage. (Of course, we all know users don't RTFM, so this alone isn't sufficient.) Any warnings, identifying features would have to stand out, but not be highly irritating. Clearly, there is no technological fix to social engineering, so this problem cannot be completely solved. There will always be some users who will ignore warnings. However, if a user is clued-up enough to turn on the password manager, they are probably clued-up enough to follow warnings like the examples above. Steps to Reproduce: 1. Go to URL above. 2. Wait for dialog to pop up. (ensure popups are enabled!)
The popup is actually quite scarily similar to the real dialogue. I'll post side-by-side screenshots for comparison. Marking NEW, increasing severity to major and changing Platform and OS to All (I'm using Windows and the dialogues looked similar - I'm sure it's the same with Mac OS).
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Attached image Spot the difference
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
see also bug 31573, bug 43960 *** This bug has been marked as a duplicate of 64676 ***
Is this really a duplicate? Is not the password dialog in question also just a javascript prompt()? Or will we have a way of differentiating chrome and non-chrome prompts?
Marking VERIFIED DUPLICATE.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: