I’ve talked about this problem before - using basic authentication to phish users across domains. But it might be good to do a quick refresher for those of you who don’t know what I’m talking about. A bad guy can include a reference to an image on a domain that is protected by an Apache module, or protects itself. That then pops up a basic authentication dialog on the site that you want to phish credentials from. The only problem with this is that the basic auth dialog has the name of the URL in the title. Well Alex found a few potential workarounds to that issue:
I’ve found some nice bugs in Opera and IE (7.0), which could trick a user in thinking that he/she’s on the right server, ’cause the server’s hostname looks like what they do expect it to. Opera truncates the server’s hostname after the 34th character and adds three points “…” at the end. This could be overseen. I’ve reported that to the vendors of Opera and they don’t know a solution. Well, sounds very funny. The could display the whole string like other browsers do, but they don’t want to change their layout of the dialogue … They were not very happy with all my other suggestions I had (explicit warning message, etc.) for them. So, there will be no change in the future, I think. Due to the missing status bar (default setting) you can’t see where it probably came from => “Waiting for phishers.com …” (And if you go to enable it, there will be no output on the bar. *G*)
Don’t forget, that there’s no link you must click on. An embedded image is good enough.
(Use Opera for testing: http://testing.bitsploit.de/test.html )
The second bug, which leads to phishing is in MSIE 7. If you use IDN domain names like microsoft.de with a cyrillic, little o instead of a latin one, you won’t see the real hostname in the HTTP-Auth dialogue (www.xn--blabla.de). Only the status bar is showing the real hostname while showing the dialogue. That’s bad, but Ronald van den Heetkamp told me, that this shouldn’t be a big problem. (Don’t know how, ’cause IE7 ignores something like status=no and e.g. Firefox gives no access to rewrite the status bar string as a default setting.)
I’ve informed MS, but they didn’t respond so far.
The IDN thing is interesting because I’m sure if you were in the field a few years back this will sound familiar - people setting up fake websites that looked in every way like the target website, except one letter would be Cyrillic. That mostly affected Firefox, and Netscape (because it used the Gecko rendering engine), but now it looks as if IE might also run into problems. Not that I think a ton of people fall for this sort of thing, but even if it’s only vaguely useful, it’s still something we should consider as a workable attack vector.