Phishing with XUL: demonstration of address bar spoofing

[jagged ben]

Well I know zilch about XUL, but I can say:

With my settings (Options > Web Features > Advanced > uncheck all but last) I see the following red flags immediately:
-Maximize/restore button disabled, plus window isn't in fact maximized (rather obvious with my Windows theme)
-Double status bar.
-Search box not set to Google (and how does the spoofer know the users default?)

Still, I'm impressed with the spoof.

I will also say that no matter how obvious FF designers make a spoof, the most likely scam victims may still get stung. I mean, if they were dumb enough to open that e-mail in the first place....

[matott]

I'm not so informed about xul. But these "scripting languages" or sgml languages are very insecure I think. Binarys are more secure but creating is more laborious (different archs). So I think disabling is the best way.

[Mike Healan]

I keep seeing "xul will be used for more in the future" as an excuse not to secure it. I'm sure Microsoft developers said the same thing years ago when people pointed out possible security issues with ActiveX. Don't make the same mistake MS did of sacrificing security just to allow web developers to do kewl things.

The 99.9% of the user base who do not have a use for these kewl features should not be forced into a security vulnerability to satisfy the other .1%. Learn from the screwups in Redmond, don't emulate them.

[Kitchel]

I have the dom.disable_window_open_feature.location set to true in about:config so when I click on the spoof test in this post at http://www.pikey.me.uk/mozilla/test/spooftest.html I get an extra address bar, I don't know about the average person but that would make me suspicious.

[doovman]

I have the same problem as Kitchel; I get an extra address bar and an extra status bar which aren't even set up like mine. Does anyone know why it works differently on different systems?

[scratch]

i'm not using it as an excuse not to secure it, i'm just saying it needs to be secured in a well thought out way, not just the quickest thing that occurs to you that will break xul from having useful functionality.

[Freyr]

I'm with scratch.I get my email thru a web-based inferface and when I click on a email it popup a small window with no chome(just the email),I like it personally.

I think that if a webpage try's to add/remove chrome it should not be allowed too and a thing should popup like the popup blocker now does saying it block the page from tring to change the chrome and if you click on it for options.And by default add localhost(or whatever could be the samething) as one of the allowed sites.By going the way the popup blocker does it makes it so your not force to chose everytime any page does this, because most people will always hit yes.

What the popup thing should say is something like this.
"Website tried to change the look of Mozilla Firefox,<b>this can make one website appear as another</b>.Click here for options..."
----#When Clicked----------------------
Allow chrome changes for www.site.com
Edit chrome change Prefrences...
Don't show this message agian. #Still in the statusbar menu.
--------------------------------------------
Add randomname
Add randomname
Remove taskbar
Remove menubar

If anybody got ideas to add that will be great.Other threads with with the same topic are
http://forums.mozillazine.org/viewtopic ... 5&start=15
http://forums.mozillazine.org/viewtopic ... 3&start=15
http://forums.mozillazine.org/viewtopic.php?t=107462
I posted telling them to post in this thread.

[AnonEmoose]

----->Begin Rant<----
this issue is SOOOO overblown... anyone can fake a site, and make it look real; it's the nature of the Internet and ALL people (yes people, not the browser) need to be more aware..... You DO look all ways before crossing an intersection... Don't You??
----->End Rant<------

If you want to verify your location, just use this bookmarklet to verify the page location in your addressbar matches the page you are viewing...

Code: Select all

javascript:alert(%22The actual URL is:\t\t%22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is:\t\t%22 + location.href + %22\n%22 + %22\nIF the above SERVER names do NOT match EACH other; OR, if they do NOT match the Address in the Location Bar, this MAY be a SPOOF.%22);

credit: Jesse Ruderman (if I can recall correctly)

[Freyr]

AnonEmoose you know and I know but it's getting tons of bad press so there are going to have to do something to atleast make it look like they are making it easier to spot if a site tries to change the chrome.I think my idea would work what do you think.

[AnonEmoose]

The idea is good. But it can't prevent people from turning it off on purpose.... just look at how many people turn off the pref "signed.applets.codebase_principal_support" AND to get to ircspy, packet news, no less just so they don't have to copy & paste......... LOL.
or turning pref "security.checkloaduri" off even if they use the PC in Non-closed network environment

But that said, I personally don't have a preference....

After all the hoopla, looks like being able to customize your browser theme/toolbars etc turn out to be a Security measure

[scratch]

AnonEmoose you know and I know but it's getting tons of bad press so there are going to have to do something to atleast make it look like they are making it easier to spot if a site tries to change the chrome.I think my idea would work what do you think.

the problem is, it's not actually changing the chrome. it's opening a popup window with some of the toolbars hidden. there are thousands of sites out there right now that do that already, so most people would turn off the notification because they'd get tired of clicking "allow". and then we'd be right back where we are. we need a more well thought out solution.

[brianstop]

We can't rely on users to make ANY configuration changes; Firefox must be secure by default.

You are so right rat.

[brianstop]

... it comes down to a question of who the intended userbase is. Who is Firefox being developed for? Is it for the developers? Geeks? Hobbyists? The unwashed masses?

Here's a loaded question: what's more important, grandma-proofing online banking, or the wishes of the developer community?....

Excellent questions...

[shevegen666]

Well, as long as its not developed FOR grandmas BUT to make it for grandmas more secure AND still a really cool and featurerich browser, its fine

[Freyr]

AnonEmoose - All true but if it's enable by default and if people disable it they can't complain when they get owned,we tried and they threw it away.But this would not be a stupid click thru popup(which are a pain in the ass,as most click thru without reading it anyway).The website would just load like normal but minus the chrome changes.A bar like popup blocker now has and it would take two click to add the site to a white list if you need it or to not show the bar anymore(but still have it in the statusbar,next to the popup blocker icon).

No chrome changes = Normal icon
Disable totally in the option menu = X thru Icon
Chrome changes blocked = Red Icon
Chrome changes on white list site = Green Icon

scratch - By default it would be disable chromo changes you would have to set it on a site by site bases even if you make it not pop up in a bar(like popups does).If you go into options/preferences and uncheck it then it would be turned off totally.This the only idea I can think of, there has to be some give and take on this subject.Some sites need it some don't need it.Also I thought the spoofing in question directly used chrome for the spoofing.90% of idea is mainly to stop the removal of chrome,the adding chrome part is a bonus and does not need to be added if it's bad or or if it's hard to code.

I personaly only go to like three site that remove some chrome and I'd just block there chrome changes and not worry about it.

Who should I send this idea to that can code.Any idea is better then none.I'll see about make a long summary on this with more detail,I got a few more idea to add to it that would make it better.