Why I am getting Facebook login pop up for every site?

This is a proxy authentication pop up! And it's most likely a proxy related attack.

When you connect to the Internet through a proxy, you'll be asked to enter username and password if the proxy requires an authentication.

For example:

auth dialog

Note that the whole text The server http:// ... The server says is editable, and you can change it in the proxy server settings.

Steps of fake proxy attack:

  • Setting up a proxy with basic authentication 'no hashing on client side'
  • Performing DNS poisoning, so every request will be redirected to the proxy machine
  • ARP spoofing, so the attacker can take 'the DNS' place

After applying the attack, the following scenario happens when you open any site:

  1. HTTP request for your site, assume it's: http://www.foo.com
  2. The request will go to the fake proxy machine, so the proxy will reply with 407 authentication required no matter what your request is. And send back the server message with the reply.
  3. A pop up will show, displaying the server message.
  4. So, if you enter your info, it will go to the fake proxy, then you might be redirected to the Internet.

So, check the DNS response you're getting for any website using Wireshark. It's probably from a suspicious address, the one that achieving DNS spoofing on your network.


TL;TR: it is probably a BlueCoat ProxySG or similar proxy which can be configured to behave that way. Nothing to worry about.

Details:

What you see is a dialog for HTTP basic access authentication. This is not what Facebook uses for authentication. This means that this dialog is not from Facebook itself.

My guess is that facebook.com is filtered by your "strong proxy to avoid social networking sites" but that access to this site is allowed for some authorized users. Thus what you see here is the authentication requested by the proxy you use. Usually proxy authentication is different from site authentication and it would show you that the proxy and not facebook requires authentication. But some software/appliances can be configured to issue a site authentication when used as a transparent proxy, i.e. when not being explicitly configured as proxy inside the browser.

One such proxy software is BlueCoat ProxySG. From their documentation it can be seen that it will return a site authentication (code 401) instead of proxy authentication (code 407) when used as transparent proxy:

The ProxySG appliance issues an OCS-style challenge (HTTP 401) for the first connection request from an unauthenticated client.

This leaves the question why you get this authentication request everywhere. My guess is that you don't get the dialog everywhere but on all sites which embed the Facebook Like button, which is almost everywhere. The site connect.facebook.net you see in the dialog is the Facebook SDK for the Like button.

Tags:

Facebook

Chrome

Safe Browsing Filter

Related

I got an email threatening to DDOS me if I don't pay a ransom. What should I do? Why does IV not need to be secret in AES CBC encryption? Preventing Browser from BeEF Exploitation How could Craig Wright obtain Satoshi Nakamoto's private key? Does multiple numbers per button have an effect on security? How could mobile developers prevent bypassing certificate pinning with tools such as SSL Kill Switch? What are the alternatives to door passcodes? Is it possible to transfer a virus through browser video? Is VLC on Linux vulnerable to an attack from .wmv files designed to install viruses? Can free Wi-Fi hotspot providers snoop on HTTPS communications? Bank complains about rooted Android. Is it really any worse than a Windows desktop? Will same-site cookies be sufficent protection against CSRF and XSS?

Recent Posts