Serious security issue -- phishing vulnerability

[egeezer]

I tried the workaround of editing the compreg.dat file(s) as provided by BeesTea at BBR and it works on my system, even after closing and restarting the browser. I did a search and found two compreg.dat files on my WIN pc, commented the line in both of them. See;

http://www.dslreports.com/forum/remark, ... t=security


quote from BeesTea's workaround;
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

End Quote

Edit - I understand that compreg.dat may be overwritten with a nightly build update, so I will need to check the files again after any updates...

HTH

EG

[venus_de_mpls]

I would prefer seeing the spoofed address in the error message. And in time I am hopeful the error message will reflect blocking a spoofed address.

Are you not missing the point though? This system is there to allow a set of valid IDN addresses, which unfortunately just happen to resemble existing ones which may or may not be something like paypal. I can understand you might want it turned off by default as a security measure, but as far as I can see, when it is in operation I get the correct error messages with the exact address it was trying to access. The only difference between a spoofed address and a legitimate one is the intention, really.

Not missing the point at all. I just worry that users implementing the fix might interpret the error message as now having this problem: http://forums.mozillazine.org/viewtopic.php?t=211351

[lynchknot]

opps wrong thread

[lynchknot]

hhee, opps again

[Lost User 101655]

I've disabled network.enableIDN and it prevents Firefox from opening spooffed sites. Even after Firefox restart! I'm using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8a6) Gecko/20050111 Firefox/1.0+ (MOOX M1) - the best trunk I've seen since Fx1.o

[jtjt00]

If after modify the compreg.dat file, you are unable to launch FireFox, then you need to use back the original compreg.dat file.

This happens to me.

[AnotherGuest.]

Just a comment on grocal's solution:

The version he is using is recent enough so that particular solution works correctly.

That solution does not work with the official release (1.0) because of a bug. People using the official release should just read the sticky note.

[Jus]

Newbie questions, what is this IDN for?

Why is kmeleon not vulnerable when the other gecko browsers are?

[schapel]

Newbie questions, what is this IDN for?

It allows characters from different character sets in URLs. Russian users can have Cyrillic URLs and Japanese users can have Japanese URLs, for example.

Why is kmeleon not vulnerable when the other gecko browsers are?

Probably because it has a completely different user interface built using native code instead of XUL.

[AnotherGuest.]

Why is kmeleon not vulnerable when the other gecko browsers are?

In a way it's vulnerable too. It can still open a link to a fraudelent site. If that site looks to you like the site you are expecting, you might be fooled.

The difference is that if you look in the address window, K-Meleon will probably display the name of the site in a way that will allow you to tell the difference. But you still have to examine the address window. Unfortunately, the difference in appearance may be small enough that you may not notice the difference, and the appearance may be different on different systems. This is not a criticism of K-M, but protection is not automatic.

You should be aware that <b>even once this problem is "solved",</b> you will still be somewhat vulnerable with <i>any</i> browser. A link called "Secure Banking at Your Branch" can still send you to TransferAllYourMoneyToNigeria.Burp.com. Or it might be "https://www.Secure.BankAmerika.con/urbranch/posting.php?mode=106823burp231523=youwontreadthisfarbutyouvebeenhad?haha.

[brwkem]

Where is the sticky?

I know its a dumb question

[schapel]

In the <a href="http://forums.mozillazine.org/viewforum.php?f=38">Mozilla Firefox Support forum</a>.

[AnotherGuest.]

Not a dumb question at all. Congratulations! You are the 100,000th dumb person not to see the sticky notes!

<b>CAN SOMEONE PLEASE PUT THE STICKY NOTES IN BIG NEON LETTERS? PRETTY PLEASE?</b>

It's right at the top of page 1 of the Firefox Support Forum.

[brwkem]

Funny.
If you go to firefox 1.x support the sticky isnt there.
IT SHOULD BE!
Have to go to the above forum to see it.
That should be in both forums.

So YES PUT THE STICKY NOTES IN BIG NEON LETTERS IN BOTH FORUMS

[AnotherGuest.]

I think you mean it's missing from the Mozilla 1.x support forum. Indeed it is.

Can you alert the moderator, and I'll do the same?