A common feature on many websites is a pop-up dialog box where users enter their username and password. Before you enter your information in Firefox next time, you might want to think twice. Security researcher Aviv Raff is alleging that in the latest Firefox 2.0.0.11 release the pop-up dialog box for password entry can be spoofed in a phishing attack.

"Mozilla Firefox allows spoofing the information presented in the basic authentication dialog box, Raff wrote in an advisory. "This can allow an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted Website."

Raff explained that the vulnerability exists because Firefox doesn't 'sanitize' all the characters in the authentication box for the realm value that defines where the authentication is from. As such it is possible for an attacker to maliciously craft a Realm value that looks as though the password dialog box comes from a trusted site such as a financial institution.

"When the victim clicks on the link, the trusted web page will be opened in a new window, and a script will be executed to redirect the new opened window to the attacker's web server, which will then return the specially crafted basic authentication response," Raff wrote. In addition to the advisory Raff has posted a video on YouTube showing how the vulnerability can be exploited.

Mozilla Chief Security Officer Window Snyder in an email sent to InternetNews.com said that Mozilla is investigating the issue. Snyder also noted that Raff did not first properly inform Mozilla of the security issue.

"Aviv Raff first posted this information in a public forum," Snyder commented. "At Mozilla, we prefer that security researchers notify us of potential issues by either filing a security sensitive bug in https://bugzilla.mozilla.org or e-mailing security@mozilla.com. It helps us keep users safe when security researches notify us before making details publicly available, but we appreciate all contributions."

Raff was not immediately available for comment.

This article was first published on InternetNews.com. To read the full article, click here.