Flaws in the way the latest version of Mozilla Firefox presents authentication dialog boxes leave the door open for cybercrooks to trick users into handing over login credentials, a leading security researcher warns.

The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open source browser to sanitise single quotation marks and spaces in the "realm" value of an authentication header.

"This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," Raff explained.

Exploitation of the bug might involve embedding a rigged image on a MySpace page that would pose as a log-on dialog to Amazon.com, for example, while actually sending data to systems controlled by hackers. Alternatively, a hacker might attempt to trick users into visiting a maliciously constructed web page featuring a link to a trusted website. If a victim clicks on the link, the trusted web page will be opened in a new window. Meanwhile, in the background, a script will be executed to redirect the newly opened window to the attacker's web server, returning the specially crafted basic authentication response.

Firefox 2.0.0.11 is vulnerable to the issue, according to Raff. Previous versions of the popular open source browser may also be flawed.

Raff has posted an advisory (http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx) explaining the vulnerability and its possible misuse in phishing attacks. The advisory links to a video illustrating the exploit, also created by Raff, that shows the misuse of the flaw to spoof Google Checkout. A low-resolution version of the video (as below) has been posted onto YouTube.

Mozilla researchers are investigating the issue. Pending the availability of a fix Raff, who's previously discovered vulnerabilities in Google's Toolbar and Apple's Safari web browser, advises users of the open source browser to avoid providing username and password information to sites displaying the dialog. ®

Related stories

Firefox 3 beta is live (13 February 2008)
http://www.channelregister.co.uk/2008/02/13/firefox_3_beta/
Phishing coders hook clueless crooks (24 January 2008)
http://www.channelregister.co.uk/2008/01/24/phishing_kit_backdoor/
Mozilla security chief confirms data leakage bug in Firefox (24 January 2008)
http://www.channelregister.co.uk/2008/01/24/firefox_data_leakage_bug/
Perl.com sends visitors to porn link farm (19 January 2008)
http://www.channelregister.co.uk/2008/01/19/perl_site_redirects_to_porn_site/
Poisoned MySpace page masquerades as Windows Update (12 January 2008)
http://www.channelregister.co.uk/2008/01/12/poisoned_myspace_page/
Mozilla pulls offensive viral campaign (8 January 2008)
http://www.channelregister.co.uk/2008/01/08/mozilla_pulls_viral_campaign/
Hackers turn Cleveland into malware server (8 January 2008)
http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/
Serious Flash vulns menace at least 10,000 websites (21 December 2007)
http://www.channelregister.co.uk/2007/12/21/flash_vulnerability_menace/
Mozilla rubbishes IE Firefox security study (3 December 2007)
http://www.channelregister.co.uk/2007/12/03/moz_ie_security_comparison/
Firefox update puts lid on Jar bug (27 November 2007)
http://www.channelregister.co.uk/2007/11/27/firefox_update/
Firefox version 3 makes beta (20 November 2007)
http://www.channelregister.co.uk/2007/11/20/firefox_beta_1/
After months of denial, Microsoft cops to IE vulnerability (12 October 2007)
http://www.channelregister.co.uk/2007/10/12/microsoft_uri_reversal/
Mozilla confirms own URL handling bug (25 July 2007)
http://www.channelregister.co.uk/2007/07/25/firefox_url_bug/
Google security vulnerabilties stack up (3 June 2007)
http://www.channelregister.co.uk/2007/06/03/google_vulns_stack_up/
Strange spoofing technique evades anti-phishing filters (25 May 2007)
http://www.channelregister.co.uk/2007/05/25/strange_spoofing_technique/
IE and Firefox blighted by fake login flaw (23 November 2006)
http://www.channelregister.co.uk/2006/11/23/fake_login_flaw/
Firefox outshines IE in phish fight (15 November 2006)
http://www.channelregister.co.uk/2006/11/15/firefox_phish_test/