Mozilla Foundation Security Advisory 2005-24

HTTP auth prompt tab spoofing

Announced
February 24, 2005
Reporter
Christian Schmidt
Risk
Low
Impact
Low
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.1
  • Mozilla Suite 1.7.6

Description

The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins used by most commercial sites, and the HTTP auth dialog clearly states which host it's for. Exploitation of this seems unlikely.

Workaround

Do not browse trusted and untrusted sites in the same session. When presented with a site login dialog double-check that it is for the site you think it's for.

References