Browser Security News

Israeli security specialist Aviv Raff has described how a vulnerability in the method used by Firefox to display authentication dialogs can allow phishers to obtain username and password information. Basic authentication is used to restrict access to a website by requesting a user name and password.

Next to the name of the remote instance, the Realm, the authentication dialog box also displays information about the web server that has issued the authentification request. It seems that Firefox is rather slipshod in the way it displays the Realm. Raff claims that anyone can use single quotes and spaces to construct a dialog that will trick users into believing they are viewing a trusted site, even though the dialog actually originates from a phishing site. Spoofing vulnerability in Firefox - heise Security