http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Invalid
|
Medium
|
|||
firefox (Fedora) |
Fix Released
|
Medium
|
|||
firefox-3.0 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: firefox-3.0
[Mozilla upstream suggests this might be an Ubuntu problem, so I’m filling a report here.]
Before letting you visit a potentially confusing URL with an embedded HTTP username:password, Firefox pops up a “helpful” warning dialog asking you to confirm the site you intended to visit. Unfortunately, it asks you to confirm that you intend to visit the _username_, not that you intend to visit the real site!
For example:
http://
Confirm
You are about to log in to the site "members.
Is "www%2Egoogle%
[No] [Yes]
I’m using firefox-3.0 3.0.2+build3+
Changed in firefox: | |
status: | Unknown → New |
Changed in firefox: | |
status: | Unknown → In Progress |
Changed in firefox: | |
status: | New → Confirmed |
Changed in firefox (Fedora): | |
status: | In Progress → Fix Released |
Changed in firefox: | |
importance: | Unknown → Medium |
Changed in firefox: | |
status: | Confirmed → Invalid |
Changed in firefox (Fedora): | |
importance: | Unknown → Medium |
I originally reported this upstream as /bugzilla. mozilla. org/show_ bug.cgi? id=449303
https:/
but it appears to be Fedora-specific.
There are screenshots attached to the upstream bug showing the behaviour I get.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
If you go to a URL with a basic auth username and password embedded in it, the
confirmation dialog asks if "mybank" is the site I want to visit, where
"mybank" is the username. If I do want to go to my bank I will click yes, and
be taken to the phishing site.
I believe the dialog should say 'is "www.mozilla.com" the site you want to
visit?' instead, since that's the site the URL goes to.
Reproducible: Always
Steps to Reproduce: mybank:<email address hidden>/en-US/
1. click on http://
2. click yes, thinking you're going to your bank account
Actual Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
Is "mybank" the site you want to visit?
Expected Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
Is "www.mozilla.com" the site you want to visit?