Critical Firefox Flaw Makes it Easy Prey to ID Thieves
Aviv Raff, the Israeli security expert, has reported a flaw in the technique employed by Firefox to show verification dialogs that can permit identity thieves to acquire userID and password details, as reported by Heisesecurity on January 3, 2008.
As stated by the security experts, the Realm, the authorization dialog box, also shows details regarding the web server that has released the authorization request. Anybody can apply single quotes and blanks to create a dialog capable of duping individuals into believing they are seeing a legitimate site, despite the fact that the dialog might have in reality emanated from a phishing site.
The flaw infects Mozilla Firefox 188.8.131.52 and there are chances of former variants of the web browser also having been infected. Several other products of Mozilla Foundation may also been compromised.
Security experts allege that the flaw persists since Firefox doesn't remove all the characters in the authorization box for the Realm value that identifies the address or location of the authorization. Per se, it is may allow a hacker to malevolently create a Realm value that appears as if the password dialog box originates from a legitimate site, like a financial organization.
After the target opens up the link, the authentic web page leads to another window and a script runs to send this dialog box to the hacker's web server, which afterwards sends back the specifically created key authorization reply, stated Raff, according to statement reported by Internetnews on January 4, 2008.
Raff also described two potential vectors. One vector would depend on a rogue site that contained a link to an established bank, or a web messaging service like Hotmail or Gmail, which when opened would show its log-on dialog. The hacker would then create a script in the background exploiting the Firefox flaw and forward the userID and password logged in by the user to his/her own computer in place of the actual website.
Security experts have recommended that till Mozilla patches the flaw, individuals should not impart userID and password to sites that display any type of dubious dialog.
Related article: Critical Infrastructure Flaw Vulnerable to Hacking
» SPAMfighter News - 15-01-2008