Mozilla Foundation Security Advisory 2005-24

HTTP auth prompt tab spoofing

Announced

February 24, 2005

Reporter

Christian Schmidt

Risk

Low

Impact

Low

Products

Firefox, Mozilla Suite

Fixed in

Firefox 1.0.1
Mozilla Suite 1.7.6

Description

The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins used by most commercial sites, and the HTTP auth dialog clearly states which host it's for. Exploitation of this seems unlikely.

Workaround

Do not browse trusted and untrusted sites in the same session. When presented with a site login dialog double-check that it is for the site you think it's for.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=277574

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice