You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-24

Mozilla Foundation Security Advisory 2005-24

Title: HTTP auth prompt tab spoofing
Severity: Low
Risk: Low
Reporter: Christian Schmidt
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
  Mozilla Suite 1.7.6

Description

The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins used by most commercial sites, and the HTTP auth dialog clearly states which host it's for. Exploitation of this seems unlikely.

Workaround

Do not browse trusted and untrusted sites in the same session. When presented with a site login dialog double-check that it is for the site you think it's for.

References