Phishing with XUL: demonstration of address bar spoofing

[bcool]

Point well taken! Though the security padlock never appeared on my fake graphic browser window and the fake browser graphic did appear in a separate popup window (which personally I would immediately find strange) - I do see the potential here for much harm. Thank you.

[Pike]

One issue with disabling remote XUL is that nearly everything you can do in XUL can be done in HTML + JS, it just takes longer.

Simple example without using XUL: http://www.pikey.me.uk/mozilla/test/spooftest.html

I can imagine that if someone put some more time into that you could make it fairly convincing, without even touching XUL.

[Kylotan]

Is there any good reason why remote sites should have access to the 'chrome://' protocol by default?

[jason2584]

I think part of the problem here is not only Firefox, but the way we do web security in general (at least in the US). In my opinion, the Internet is overdue for an update in session-based security. European banking sites already require much more stringent authentication to access their online services. Of course the downside to their increased security is more user responsibility. For example, some banks issue "SmartCards" or other media that contain passwords that can be used for online banking. Sometimes passwords are only good for one session. While much of what Europe has adopted is out of the scope of present feasibility for us stupid Americans, their stance on security is noteworthy. The Internet in general could offer much tighter security than it does if newer security standards could be developed where web-security was managed jointly by remote webserver and local machine. If a cross-platform standard could be implemented on OSes, the Web could significantly increase its security while taking pretty minimal losses to usability/portability. Such a multi-tiered security approach would leave phishers fishing for new ideas.

[michaell522]

Is there any good reason why remote sites should have access to the 'chrome://' protocol by default?

Remote sites can't link to chrome, they can only load images and stuff from it. If they're using XUL, I can see why they'd want to do that. For the regular HTML website, I can't.

But blocking that is still just another step - that demo is only loading PNGs and GIFs. You don't need to use chrome:// URLs for that, you can just copy the graphics from Firefox and put them on their own site (admittedly, you've successfully protected the minority that use a different theme).

Blocking XUL, or chrome:// images doesn't solve the problem, it just means the phisher has to do a few minutes more work (on a one-time basis, and then they can reuse it in future).

As for the greater security - one simple antiphishing measure that some places use is varying the information. "smile" bank, for example, has a first page where you enter your identity and a pin, and then you get taken to a second page where it asks for an item of personal info, selected from about 6 possible question/answers. For Nationwide (another UK bank) you have a 6 digit passnumber, and they only ever ask for 2 digits at a time. Sites that aren't yet doing anything like that should be.

Electronic smartcards which produce one-time authentication give very good security. But then you do have the expense of producing them and mailing them out to customers - Coutts bank does that, but then they have rich customers and charge a fortune in bank charges.

[rat144]

Point well taken! Though the security padlock never appeared on my fake graphic browser window and the fake browser graphic did appear in a separate popup window (which personally I would immediately find strange) - I do see the potential here for much harm. Thank you.

Don't read too much into the bugs in my code =P Somebody who's good at this could pull it off much more slickly.

Is there any good reason why remote sites should have access to the 'chrome://' protocol by default?

No. I don't even know why web apps would want to know what your back button looks like. Still, michaell is right; the chrome:// protocol only makes this easier, the issue doesn't rely on it.

Simple example without using XUL: http://www.pikey.me.uk/mozilla/test/spooftest.html

Blast it Pike, you've just made this much more complicated. Why did you have to go and point that out? =P Now that you mention it, I'm willing to bet that you could do almost anything in HTML that you can do in XUL.

Why does firefox's rendering engine have to be so powerful? What was so terribly wrong with Netscape 4?

[Kylotan]

Is there any good reason why remote sites should have access to the 'chrome://' protocol by default?

Remote sites can't link to chrome, they can only load images and stuff from it. If they're using XUL, I can see why they'd want to do that. For the regular HTML website, I can't.

Someone just did it above, which obviously shows that it's one method that works and presumably makes it easier to mimic the way that user has their browser set up.

But blocking that is still just another step - that demo is only loading PNGs and GIFs. You don't need to use chrome:// URLs for that, you can just copy the graphics from Firefox and put them on their own site (admittedly, you've successfully protected the minority that use a different theme).

Blocking XUL, or chrome:// images doesn't solve the problem, it just means the phisher has to do a few minutes more work (on a one-time basis, and then they can reuse it in future).

Firstly, I think that probably a large number of people do use a different theme, although that is likely to decrease in proportion as the user base gets larger.

Secondly, and this is a big one: 'chrome://' exploits leaves Firefox open to 'Mozilla-only' security issues. This is very bad when it comes to trying to promote this browser to the world in general. Restricting phishing so that Firefox is only susceptible to the same attacks that would affect IE is not exactly satisfactory, but it's better than having our own special issues that IE users are safe from.

[khlo]

Perhaps the only way you can be 100% free from phising is to use Lynx Is there any reason why Firefox can't require the address bar and relevant chrome to be displayed on *every* window, including popups?

[michaell522]

Firstly, I think that probably a large number of people do use a different theme, although that is likely to decrease in proportion as the user base gets larger.

update.mozilla.org has seen around 300,000 theme downloads since it was set up over a month ago, and I don't imagine the other theme sites are that much more. Just from the Mozilla servers, Firefox has had 3 million downloads in 30 days. So a high guess would be 25% of people using themes. As the user base gets wider, that will get lower, as you say.

Secondly, and this is a big one: 'chrome://' exploits leaves Firefox open to 'Mozilla-only' security issues. This is very bad when it comes to trying to promote this browser to the world in general. Restricting phishing so that Firefox is only susceptible to the same attacks that would affect IE is not exactly satisfactory, but it's better than having our own special issues that IE users are safe from.

That's a fair point, but I don't know how much of a compelling argument the developers would find it. You're asking that Firefox doesn't do anything that IE doesn't do, just in case it opens up a hole. There are bound to be "Mozilla-only" security flaws in any case - just implementing javascript, which has had Mozilla-only holes in the past, for example.

[pGwtech]

-- already mentioned in thread. ignore.

[Kylotan]

No, I just think that anything Mozilla does that IE doesn't do, and which can be used as a vector for a known security problem, should be restricted (eg. by whitelist). I certainly don't want to see functionality removed entirely, just checks on situations where abuse potential outweights use potential.

[scratch]

Perhaps the only way you can be 100% free from phising is to use Lynx Is there any reason why Firefox can't require the address bar and relevant chrome to be displayed on *every* window, including popups?

because that would look bad in most if not all XUL apps.

[big_gie]

because that would look bad in most if not all XUL apps.

Who use them anyway?
Ok some do, but it is a minority. It isnt a satifying argument for statu-quo. I'm not accepting that my browser gets spoofed because some people want to develop a nice UI, and I already mentioned it.

Also, why FF is spoofable??? Is it a real spoof where the address is really changed? Or is the address bar just replaced with a bogus text box which can contain anything?

[scratch]

the idea is for XUL apps to be used by everyone regularly eventually. it's a new technology supported by a web browser with 5% of people using it. give it time.

it's neither. what you're seeing is a fake address box created with XUL. what's created is a new browser window with no chrome, and then fake chrome is added with XUL.

[tojofb]

Using 7/19 nightly the spoof didn't work. I received a warning and also the address bar at the top displayed in yellow background.