Cenzic 232 Patent
Paid Advertising
web application security lab

Cross Domain Basic Auth Phishing Tactics

I’ve talked about this problem before - using basic authentication to phish users across domains. But it might be good to do a quick refresher for those of you who don’t know what I’m talking about. A bad guy can include a reference to an image on a domain that is protected by an Apache module, or protects itself. That then pops up a basic authentication dialog on the site that you want to phish credentials from. The only problem with this is that the basic auth dialog has the name of the URL in the title. Well Alex found a few potential workarounds to that issue:

I’ve found some nice bugs in Opera and IE (7.0), which could trick a user in thinking that he/she’s on the right server, ’cause the server’s hostname looks like what they do expect it to. Opera truncates the server’s hostname after the 34th character and adds three points “…” at the end. This could be overseen. I’ve reported that to the vendors of Opera and they don’t know a solution. Well, sounds very funny. The could display the whole string like other browsers do, but they don’t want to change their layout of the dialogue … They were not very happy with all my other suggestions I had (explicit warning message, etc.) for them. So, there will be no change in the future, I think. Due to the missing status bar (default setting) you can’t see where it probably came from => “Waiting for phishers.com …” (And if you go to enable it, there will be no output on the bar. *G*)

Don’t forget, that there’s no link you must click on. An embedded image is good enough.

(Use Opera for testing: http://testing.bitsploit.de/test.html )

The second bug, which leads to phishing is in MSIE 7. If you use IDN domain names like microsoft.de with a cyrillic, little o instead of a latin one, you won’t see the real hostname in the HTTP-Auth dialogue (www.xn--blabla.de). Only the status bar is showing the real hostname while showing the dialogue. That’s bad, but Ronald van den Heetkamp told me, that this shouldn’t be a big problem. (Don’t know how, ’cause IE7 ignores something like status=no and e.g. Firefox gives no access to rewrite the status bar string as a default setting.)

I’ve informed MS, but they didn’t respond so far.

The IDN thing is interesting because I’m sure if you were in the field a few years back this will sound familiar - people setting up fake websites that looked in every way like the target website, except one letter would be Cyrillic. That mostly affected Firefox, and Netscape (because it used the Gecko rendering engine), but now it looks as if IE might also run into problems. Not that I think a ton of people fall for this sort of thing, but even if it’s only vaguely useful, it’s still something we should consider as a workable attack vector.

5 Responses to “Cross Domain Basic Auth Phishing Tactics”

  1. BobJones Says:

    Could they not simply show the first 15 characters of the URL, three …, and then the final 16?

    Example: pishing-site-sit…hahahahahaha.com

  2. Alex Says:

    Here’s a screenshot of the HTTP-Auth dialogue of IE 7: https://www.bitsploit.de/uploads/Bilder/200706081931/idn-ie7.png

    As you see, the title of the dialogue and the server’s string don’t show the real hostname, but the status bar.

    Special thanks go to Eric Johanson, who allowed me to use his IDN domain for testing.

  3. Computer Guru Says:

    I believe you can workaround the IDN issue in IE7 by setting the “encode domain names” option in Tools | Internet Options.

    But that’s not really the point I guess… And Microsoft says the days of “opt-in security” are over!

  4. Legionnaire Says:

    @BobJones: That wouldn’t be much of a solution. The phishing site may differ only by a character somewhere in the middle!

  5. Piggy Says:

    Hey, I’m new to phishing. I’ve just started learning about it, and think it’s more effective than sql injection, but I really don’t know much about it. If you could, will you email me at: piggster454@rfci.net and help me a bit with it? Thanks.