Prevent 401 phishing attacks

[EdOverflow]

The following markdown image should prompt you with an authentication dialog:

![](https://httpbin.org/basic-auth/user/passwd)

This can be used for 401 phishing attacks, where the credentials are sent to an attackers' server.

[EdOverflow]

Maybe we should also prevent use of SVG images.

![](http://brutelogic.com.br/poc.svg) <-- Open this image in a new tab.

[Changaco]

Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202.

[Changaco]

Note that Firefox does show a warning:

https://httpbin.org is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Screenshot:

[Changaco]

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

[EdOverflow]

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/

[Changaco]

I know what it is, but I see no reason to allow it for images. ;-)

[EdOverflow]

Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue.

The only real solution is to proxy all images as suggested in #202.

[Changaco]

For some reason developers are not interested in fixing this issue.

Do you have links to the relevant tickets in the bug trackers of browsers?

[EdOverflow]

Do you have links to the relevant tickets in the bug trackers of browsers?

https://bugs.chromium.org/p/chromium/issues/detail?id=21628

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68

[Changaco]

Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed.

[EdOverflow]

Yep, I am with you on that. :)

[Changaco]

Mozilla ticket: 647010 – Only present HTTP authentication dialogs if it is the top-level document initiating the auth.

[Changaco]

The new SaferHtmlRenderer that I've contributed to Misaka has built-in support for URL rewriting.

[Changaco]

Relevant article: GitHub’s post-CSP journey.

[Changaco]

camo: an http proxy to route images through SSL (GitHub's image proxy).

[Changaco]

Cloudflare workers seem like the best way to fix this. It would cost $5 per month.

[Changaco]

It looks like this issue has been fixed in browsers, I can't reproduce it anymore in Firefox (76.0.1) and Chromium (83.0.4103.61).