If you go to a URL with a basic auth username and password embedded in it, the
confirmation dialog asks if "mybank" is the site I want to visit, where
"mybank" is the username. If I do want to go to my bank I will click yes, and
be taken to the phishing site.
I believe the dialog should say 'is "www.mozilla.com" the site you want to
visit?' instead, since that's the site the URL goes to.
Reproducible: Always
Steps to Reproduce:
1. click on http://mybank:<email address hidden>/en-US/
2. click yes, thinking you're going to your bank account
Actual Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
Is "mybank" the site you want to visit?
Expected Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
I originally reported this upstream as /bugzilla. mozilla. org/show_ bug.cgi? id=449303
https:/
but it appears to be Fedora-specific.
There are screenshots attached to the upstream bug showing the behaviour I get.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
If you go to a URL with a basic auth username and password embedded in it, the
confirmation dialog asks if "mybank" is the site I want to visit, where
"mybank" is the username. If I do want to go to my bank I will click yes, and
be taken to the phishing site.
I believe the dialog should say 'is "www.mozilla.com" the site you want to
visit?' instead, since that's the site the URL goes to.
Reproducible: Always
Steps to Reproduce: mybank:<email address hidden>/en-US/
1. click on http://
2. click yes, thinking you're going to your bank account
Actual Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
Is "mybank" the site you want to visit?
Expected Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.
Is "www.mozilla.com" the site you want to visit?