CVE-2021-23972 in Firefox
Summary
by MITRE • 02/26/2021
One phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://[email protected]'. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. This vulnerability affects Firefox < 86.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/05/2021
This vulnerability represents a sophisticated phishing attack vector that exploits browser handling of HTTP authentication URLs and caching mechanisms. The flaw occurs when a malicious actor crafts a URL such as 'https://[email protected]' where the domain portion contains embedded credentials that are not properly validated by Firefox's security mechanisms. The vulnerability specifically impacts Firefox versions prior to 86, where the browser's warning dialog system fails to properly validate URLs that have been cached through redirects, allowing attackers to bypass security warnings that would normally protect users from credential-stealing phishing attempts.
The technical implementation of this vulnerability stems from Firefox's inconsistent handling of cached redirects in HTTP authentication contexts. When a user encounters a phishing URL that triggers an HTTP redirect, the browser's caching mechanism stores the redirect response without properly validating whether the final destination should trigger the security warning dialog. This creates a scenario where legitimate security warnings are bypassed because the cached redirect path does not undergo the same validation checks that would occur during a fresh navigation attempt. The vulnerability operates at the intersection of web browser security architecture and caching protocols, where the expectation is that all navigation paths leading to potentially malicious content should be subject to the same security screening regardless of whether the path is fresh or cached.
The operational impact of this vulnerability extends beyond simple phishing protection, as it undermines fundamental browser security assumptions about URL validation and user protection. Attackers can leverage this flaw by creating a legitimate-looking URL that redirects to a malicious domain, with the malicious domain being cached in the browser's redirect cache. This allows them to bypass Firefox's built-in warnings that would normally alert users to potentially dangerous authentication URLs. The vulnerability is particularly concerning because it affects the core security model of Firefox's authentication handling, potentially exposing users to credential theft and identity compromise attacks that would otherwise be blocked by the browser's security infrastructure.
The mitigation for this vulnerability requires Firefox version 86 or later, where the browser's redirect handling and caching mechanisms have been updated to properly validate all paths leading to authentication URLs, regardless of whether they are cached or fresh. This update addresses the underlying issue by implementing more robust URL validation that ensures cached redirects are subject to the same security checks as new navigation attempts. Organizations should ensure all Firefox installations are updated to version 86 or higher to protect against this specific phishing attack vector. The fix aligns with security best practices outlined in the CWE (Common Weakness Enumeration) category for improper input validation and caching security issues, and represents a direct response to the ATT&CK technique of credential access through phishing and social engineering attacks. This vulnerability demonstrates the importance of comprehensive security validation across all browser navigation paths, including cached redirects, and highlights the critical need for consistent security enforcement regardless of how content is accessed or cached by the browser.