Joachim Breitner's Homepage
I just thought of a - AFAIK - new way to steal passwords from not totally careful users. While XSS relies on somehow smuggling script code in the attacked web presence. But for this Cross-Side-Auth-Attack (I just call it XSA), you just need to have the attacked site display an image on an attacker controlled server. This is usually extremly easy, most web forums allow that, a lot of web services like e-bay and probably most webmails with HTML support.
All you have to do is have the referenced image in a directory that is protected by HTTP Auth. The user's browser will load the real HTML page, see the image url, try to load it, get a Authentication Needed reply header, and display the user the login dialogue. The user might think it is his web service requesting his password for some reason, and enter his precious credentials. These are sent to the attacker's server. There, those are stored by the server says that the authentication succeeded and show - totally unsuspicously - the image.
The dialogue displayed by the browser contains (at least here, Galeon, which is a mozilla based browser, but probably in other browsers too) just a freely chooseable text and the domain that is requestion authentication. An aware user might spot the different domain here, but if prepared carefully (www-ebay.com.xy), a sufficient amount of users won't notice. The text might explain the "sudden" login request, for example "Server restarted. Please log in again".
I set up an simple example page on http://people.debian.org/~nomeata/xsa-sample.html that loads an image from nomeata.de. The password you enter will be readable by my own server, altough everything looks as if you are on people.debian.org. Note that I did not try to feign the URL. Also note that my webserver uses /dev/null as the user file, so no matter what you enter, the login will fail, and no picture can be displayed (there is none at all).
How can we protect us from that threat? First aid is to carefully read the messages the browser gives you. In the long run, the browsers should add a obvious warning when an embedded object in a site that is stored somewhere else requires authentication. Someone should also check if it is possible, for example with weird unicode trickt, to actually have the browser show an arbitary domain in the login window. Webservices can protect themselves only by disallowing non-local images, and if that is not an option, to load these files once and serve them locally.
I hope that this posts leads to a fruitful discussion, and not to a wave of new password phishing attacks.
Update: I just checked Opera and Mozilla, both on Debian. Mozillas dialgue is the worst, with the domain at the end of a long line, this probably not read by the anaware user. Opera's diaglogue is so far the best: The domain is first, a very readable table, so to fool the user, you probably have to pull a good "similar looking domain" trick. BTW: Swimming in the sea is great, and the water is surprisingly warm, at 1:30am, in Helsinki.
Update: The example page I set up now actually accepts logins and save the logins to a log, the code to do that is very simple. (it is a 19-line mod_perl apache authentication module). I also use a nice icon from the Gnome project as the image.