Install source spoofing with user:pass@host
- February 24, 2005
- Phil Ringnalda
- Firefox, Mozilla Suite, Thunderbird
- Fixed in
- Firefox 1.0.1
- Mozilla Suite 1.7.6
- Thunderbird 1.0.2
The installation confirmation dialog shows the source of the software. By adding a long, fake "user:pass" in front of the true hostname the user might be convinced to trust software that comes from an untrustworthy source. This is similar to attempts used in some phishing mail: "http://email@example.com/install.xpi".
By default Firefox only allows install attempts from http://update.mozilla.org, a user would need to explicitly allow the spoofing host to initiate installs before it could try this trick.
Do not install software when prompted by untrusted sites. Enlarge the install confirmation dialog and verify that "@" does not appear before the first "/" character.