You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-24

Mozilla Foundation Security Advisory 2005-24

Title: HTTP auth prompt tab spoofing
Severity: Low
Risk: Low
Reporter: Christian Schmidt
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
Mozilla Suite 1.7.6

Description

The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins used by most commercial sites, and the HTTP auth dialog clearly states which host it's for. Exploitation of this seems unlikely.

Workaround

Do not browse trusted and untrusted sites in the same session. When presented with a site login dialog double-check that it is for the site you think it's for.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=277574