Why I am getting Facebook login pop up for every site?
This is a proxy authentication pop up! And it's most likely a proxy related attack.
When you connect to the Internet through a proxy, you'll be asked to enter username and password if the proxy requires an authentication.
For example:
Note that the whole text The server http:// ... The server says
is editable, and you can change it in the proxy server settings.
Steps of fake proxy attack:
- Setting up a proxy with basic authentication 'no hashing on client side'
- Performing DNS poisoning, so every request will be redirected to the proxy machine
- ARP spoofing, so the attacker can take 'the DNS' place
After applying the attack, the following scenario happens when you open any site:
- HTTP request for your site, assume it's: http://www.foo.com
- The request will go to the fake proxy machine, so the proxy will reply with
407 authentication required
no matter what your request is. And send back the server message with the reply. - A pop up will show, displaying the server message.
- So, if you enter your info, it will go to the fake proxy, then you might be redirected to the Internet.
So, check the DNS response you're getting for any website using Wireshark. It's probably from a suspicious address, the one that achieving DNS spoofing on your network.
TL;TR: it is probably a BlueCoat ProxySG or similar proxy which can be configured to behave that way. Nothing to worry about.
Details:
What you see is a dialog for HTTP basic access authentication. This is not what Facebook uses for authentication. This means that this dialog is not from Facebook itself.
My guess is that facebook.com is filtered by your "strong proxy to avoid social networking sites" but that access to this site is allowed for some authorized users. Thus what you see here is the authentication requested by the proxy you use. Usually proxy authentication is different from site authentication and it would show you that the proxy and not facebook requires authentication. But some software/appliances can be configured to issue a site authentication when used as a transparent proxy, i.e. when not being explicitly configured as proxy inside the browser.
One such proxy software is BlueCoat ProxySG. From their documentation it can be seen that it will return a site authentication (code 401) instead of proxy authentication (code 407) when used as transparent proxy:
The ProxySG appliance issues an OCS-style challenge (HTTP 401) for the first connection request from an unauthenticated client.
This leaves the question why you get this authentication request everywhere. My guess is that you don't get the dialog everywhere but on all sites which embed the Facebook Like button, which is almost everywhere. The site connect.facebook.net you see in the dialog is the Facebook SDK for the Like button.