Security expert Aviv Raff is at it again, this time exposing a very serious flaw in the way the the Firefox web browser handles basic authentication. A number of popular Web sites where we conduct bank transactions, check email, and socially interact can be affected by this since many of them employ the use of Firefox's Authentication Required dialog box. Even those that do not utilize this method of authentication can be used as a form of trickery here. When correctly exploited this flaw gives an attacker the ability to display their own dialog, crafted to appear as if it came from a trusted source. At this point, phishing comes into play with the victim's login credentials being sent directly to the attacker's web server rather than to a desired destination such as Paypal, MySpace, etc.

The vulnerability, which lies in the way Firefox handles single quotes and spaces within a header's Realm value, is very troubling as even the most cautious Web surfers could potentially fall victim if they were in a hurry. An open discussion on the browser's HTTP authentication dialog is posted in Bugzilla, but nothing solid regarding a resolution has been released just yet. Raff has posted a video demonstration of an attack in motion, and recommends that Firefox users stop providing usernames and passwords to any sites that display this dialog until a fix is issued. You would do well to heed his advice. This is a scary one. You may even want to switch to an alternate browser in the meantime.