Phishing with XUL: demonstration of address bar spoofing
-
- Posts: 97
- Joined: March 5th, 2004, 8:43 pm
Well I know zilch about XUL, but I can say:
With my settings (Options > Web Features > Advanced > uncheck all but last) I see the following red flags immediately:
-Maximize/restore button disabled, plus window isn't in fact maximized (rather obvious with my Windows theme)
-Double status bar.
-Search box not set to Google (and how does the spoofer know the users default?)
Still, I'm impressed with the spoof.
I will also say that no matter how obvious FF designers make a spoof, the most likely scam victims may still get stung. I mean, if they were dumb enough to open that e-mail in the first place....
With my settings (Options > Web Features > Advanced > uncheck all but last) I see the following red flags immediately:
-Maximize/restore button disabled, plus window isn't in fact maximized (rather obvious with my Windows theme)
-Double status bar.
-Search box not set to Google (and how does the spoofer know the users default?)
Still, I'm impressed with the spoof.
I will also say that no matter how obvious FF designers make a spoof, the most likely scam victims may still get stung. I mean, if they were dumb enough to open that e-mail in the first place....
-
- Posts: 107
- Joined: November 7th, 2002, 12:32 pm
- Contact:
I keep seeing "xul will be used for more in the future" as an excuse not to secure it. I'm sure Microsoft developers said the same thing years ago when people pointed out possible security issues with ActiveX. Don't make the same mistake MS did of sacrificing security just to allow web developers to do kewl things.
The 99.9% of the user base who do not have a use for these kewl features should not be forced into a security vulnerability to satisfy the other .1%. Learn from the screwups in Redmond, don't emulate them.
The 99.9% of the user base who do not have a use for these kewl features should not be forced into a security vulnerability to satisfy the other .1%. Learn from the screwups in Redmond, don't emulate them.
-
- Posts: 218
- Joined: December 12th, 2003, 3:53 pm
- Contact:
I have the dom.disable_window_open_feature.location set to true in about:config so when I click on the spoof test in this post at http://www.pikey.me.uk/mozilla/test/spooftest.html I get an extra address bar, I don't know about the average person but that would make me suspicious.
- Freyr
- Posts: 81
- Joined: July 17th, 2004, 11:34 am
- Location: Missouri,USA
I'm with scratch.I get my email thru a web-based inferface and when I click on a email it popup a small window with no chome(just the email),I like it personally.
I think that if a webpage try's to add/remove chrome it should not be allowed too and a thing should popup like the popup blocker now does saying it block the page from tring to change the chrome and if you click on it for options.And by default add localhost(or whatever could be the samething) as one of the allowed sites.By going the way the popup blocker does it makes it so your not force to chose everytime any page does this, because most people will always hit yes.
What the popup thing should say is something like this.
"Website tried to change the look of Mozilla Firefox,<b>this can make one website appear as another</b>.Click here for options..."
----#When Clicked----------------------
Allow chrome changes for www.site.com
Edit chrome change Prefrences...
Don't show this message agian. #Still in the statusbar menu.
--------------------------------------------
Add randomname
Add randomname
Remove taskbar
Remove menubar
If anybody got ideas to add that will be great.Other threads with with the same topic are
http://forums.mozillazine.org/viewtopic ... 5&start=15
http://forums.mozillazine.org/viewtopic ... 3&start=15
http://forums.mozillazine.org/viewtopic.php?t=107462
I posted telling them to post in this thread.
I think that if a webpage try's to add/remove chrome it should not be allowed too and a thing should popup like the popup blocker now does saying it block the page from tring to change the chrome and if you click on it for options.And by default add localhost(or whatever could be the samething) as one of the allowed sites.By going the way the popup blocker does it makes it so your not force to chose everytime any page does this, because most people will always hit yes.
What the popup thing should say is something like this.
"Website tried to change the look of Mozilla Firefox,<b>this can make one website appear as another</b>.Click here for options..."
----#When Clicked----------------------
Allow chrome changes for www.site.com
Edit chrome change Prefrences...
Don't show this message agian. #Still in the statusbar menu.
--------------------------------------------
Add randomname
Add randomname
Remove taskbar
Remove menubar
If anybody got ideas to add that will be great.Other threads with with the same topic are
http://forums.mozillazine.org/viewtopic ... 5&start=15
http://forums.mozillazine.org/viewtopic ... 3&start=15
http://forums.mozillazine.org/viewtopic.php?t=107462
I posted telling them to post in this thread.
-
- Posts: 2031
- Joined: February 6th, 2004, 11:59 am
----->Begin Rant<----
this issue is SOOOO overblown... anyone can fake a site, and make it look real; it's the nature of the Internet and ALL people (yes people, not the browser) need to be more aware..... You DO look all ways before crossing an intersection... Don't You??
----->End Rant<------
If you want to verify your location, just use this bookmarklet to verify the page location in your addressbar matches the page you are viewing...
credit: Jesse Ruderman (if I can recall correctly)
this issue is SOOOO overblown... anyone can fake a site, and make it look real; it's the nature of the Internet and ALL people (yes people, not the browser) need to be more aware..... You DO look all ways before crossing an intersection... Don't You??
----->End Rant<------
If you want to verify your location, just use this bookmarklet to verify the page location in your addressbar matches the page you are viewing...
Code: Select all
javascript:alert(%22The actual URL is:\t\t%22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is:\t\t%22 + location.href + %22\n%22 + %22\nIF the above SERVER names do NOT match EACH other; OR, if they do NOT match the Address in the Location Bar, this MAY be a SPOOF.%22);
credit: Jesse Ruderman (if I can recall correctly)
- Freyr
- Posts: 81
- Joined: July 17th, 2004, 11:34 am
- Location: Missouri,USA
AnonEmoose you know and I know but it's getting tons of bad press so there are going to have to do something to atleast make it look like they are making it easier to spot if a site tries to change the chrome.I think my idea would work what do you think.
Linux Install Script
http://forums.mozillazine.org/viewtopic ... highlight=
http://forums.mozillazine.org/viewtopic ... highlight=
-
- Posts: 2031
- Joined: February 6th, 2004, 11:59 am
The idea is good. But it can't prevent people from turning it off on purpose.... just look at how many people turn off the pref "signed.applets.codebase_principal_support" AND to get to ircspy, packet news, no less just so they don't have to copy & paste......... LOL.
or turning pref "security.checkloaduri" off even if they use the PC in Non-closed network environment
But that said, I personally don't have a preference....
After all the hoopla, looks like being able to customize your browser theme/toolbars etc turn out to be a Security measure
or turning pref "security.checkloaduri" off even if they use the PC in Non-closed network environment
But that said, I personally don't have a preference....
After all the hoopla, looks like being able to customize your browser theme/toolbars etc turn out to be a Security measure
- scratch
- Posts: 4942
- Joined: November 6th, 2002, 1:27 am
- Location: Massachusetts
Freyr wrote:AnonEmoose you know and I know but it's getting tons of bad press so there are going to have to do something to atleast make it look like they are making it easier to spot if a site tries to change the chrome.I think my idea would work what do you think.
the problem is, it's not actually changing the chrome. it's opening a popup window with some of the toolbars hidden. there are thousands of sites out there right now that do that already, so most people would turn off the notification because they'd get tired of clicking "allow". and then we'd be right back where we are. we need a more well thought out solution.
-
- Posts: 92
- Joined: July 18th, 2004, 10:55 pm
Re: Phishing with XUL: demonstration of address bar spoofing
rat144 wrote:We can't rely on users to make ANY configuration changes; Firefox must be secure by default.
You are so right rat.
-
- Posts: 92
- Joined: July 18th, 2004, 10:55 pm
Molerat wrote:... it comes down to a question of who the intended userbase is. Who is Firefox being developed for? Is it for the developers? Geeks? Hobbyists? The unwashed masses?
Here's a loaded question: what's more important, grandma-proofing online banking, or the wishes of the developer community?....
Excellent questions...
- shevegen666
- Posts: 444
- Joined: May 12th, 2004, 7:18 am
- Freyr
- Posts: 81
- Joined: July 17th, 2004, 11:34 am
- Location: Missouri,USA
AnonEmoose - All true but if it's enable by default and if people disable it they can't complain when they get owned,we tried and they threw it away.But this would not be a stupid click thru popup(which are a pain in the ass,as most click thru without reading it anyway).The website would just load like normal but minus the chrome changes.A bar like popup blocker now has and it would take two click to add the site to a white list if you need it or to not show the bar anymore(but still have it in the statusbar,next to the popup blocker icon).
No chrome changes = Normal icon
Disable totally in the option menu = X thru Icon
Chrome changes blocked = Red Icon
Chrome changes on white list site = Green Icon
scratch - By default it would be disable chromo changes you would have to set it on a site by site bases even if you make it not pop up in a bar(like popups does).If you go into options/preferences and uncheck it then it would be turned off totally.This the only idea I can think of, there has to be some give and take on this subject.Some sites need it some don't need it.Also I thought the spoofing in question directly used chrome for the spoofing.90% of idea is mainly to stop the removal of chrome,the adding chrome part is a bonus and does not need to be added if it's bad or or if it's hard to code.
I personaly only go to like three site that remove some chrome and I'd just block there chrome changes and not worry about it.
Who should I send this idea to that can code.Any idea is better then none.I'll see about make a long summary on this with more detail,I got a few more idea to add to it that would make it better.
No chrome changes = Normal icon
Disable totally in the option menu = X thru Icon
Chrome changes blocked = Red Icon
Chrome changes on white list site = Green Icon
scratch - By default it would be disable chromo changes you would have to set it on a site by site bases even if you make it not pop up in a bar(like popups does).If you go into options/preferences and uncheck it then it would be turned off totally.This the only idea I can think of, there has to be some give and take on this subject.Some sites need it some don't need it.Also I thought the spoofing in question directly used chrome for the spoofing.90% of idea is mainly to stop the removal of chrome,the adding chrome part is a bonus and does not need to be added if it's bad or or if it's hard to code.
I personaly only go to like three site that remove some chrome and I'd just block there chrome changes and not worry about it.
Who should I send this idea to that can code.Any idea is better then none.I'll see about make a long summary on this with more detail,I got a few more idea to add to it that would make it better.