Serious security issue -- phishing vulnerability
-
- Posts: 28
- Joined: January 29th, 2004, 2:37 pm
A fix that works ...
I tried the workaround of editing the compreg.dat file(s) as provided by BeesTea at BBR and it works on my system, even after closing and restarting the browser. I did a search and found two compreg.dat files on my WIN pc, commented the line in both of them. See;
http://www.dslreports.com/forum/remark, ... t=security
quote from BeesTea's workaround;
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat
For UNIX
~/.mozilla/firefox/default.random/compreg.dat
Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.
Here's an example entry.
{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so
End Quote
Edit - I understand that compreg.dat may be overwritten with a nightly build update, so I will need to check the files again after any updates...
HTH
EG
http://www.dslreports.com/forum/remark, ... t=security
quote from BeesTea's workaround;
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat
For UNIX
~/.mozilla/firefox/default.random/compreg.dat
Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.
Here's an example entry.
{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so
End Quote
Edit - I understand that compreg.dat may be overwritten with a nightly build update, so I will need to check the files again after any updates...
HTH
EG
Cheers,
EG
EG
- venus_de_mpls
- Posts: 1059
- Joined: December 23rd, 2004, 3:43 pm
- Location: Minneapolis, MN, USA, Earth
Kylotan wrote:venus_de_mpls wrote:I would prefer seeing the spoofed address in the error message. And in time I am hopeful the error message will reflect blocking a spoofed address.
Are you not missing the point though? This system is there to allow a set of valid IDN addresses, which unfortunately just happen to resemble existing ones which may or may not be something like paypal. I can understand you might want it turned off by default as a security measure, but as far as I can see, when it is in operation I get the correct error messages with the exact address it was trying to access. The only difference between a spoofed address and a legitimate one is the intention, really.
Not missing the point at all. I just worry that users implementing the fix might interpret the error message as now having this problem: http://forums.mozillazine.org/viewtopic.php?t=211351
-
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
solution works for me
I've disabled network.enableIDN and it prevents Firefox from opening spooffed sites. Even after Firefox restart! I'm using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8a6) Gecko/20050111 Firefox/1.0+ (MOOX M1) - the best trunk I've seen since Fx1.o
-
- Posts: 2158
- Joined: December 22nd, 2004, 11:47 am
-
- Posts: 3483
- Joined: November 4th, 2002, 10:47 pm
- Location: Ann Arbor, Michigan
- Contact:
Jus wrote:Newbie questions, what is this IDN for?
It allows characters from different character sets in URLs. Russian users can have Cyrillic URLs and Japanese users can have Japanese URLs, for example.
Jus wrote:Why is kmeleon not vulnerable when the other gecko browsers are?
Probably because it has a completely different user interface built using native code instead of XUL.
-
- Posts: 2158
- Joined: December 22nd, 2004, 11:47 am
In a way it's vulnerable too. It can still open a link to a fraudelent site. If that site looks to you like the site you are expecting, you might be fooled.Jus wrote:Why is kmeleon not vulnerable when the other gecko browsers are?
The difference is that if you look in the address window, K-Meleon will probably display the name of the site in a way that will allow you to tell the difference. But you still have to examine the address window. Unfortunately, the difference in appearance may be small enough that you may not notice the difference, and the appearance may be different on different systems. This is not a criticism of K-M, but protection is not automatic.
You should be aware that <b>even once this problem is "solved",</b> you will still be somewhat vulnerable with <i>any</i> browser. A link called "Secure Banking at Your Branch" can still send you to TransferAllYourMoneyToNigeria.Burp.com. Or it might be "https://www.Secure.BankAmerika.con/urbranch/posting.php?mode=106823burp231523=youwontreadthisfarbutyouvebeenhad?haha.
Last edited by AnotherGuest. on February 9th, 2005, 1:07 pm, edited 1 time in total.
-
- Posts: 3483
- Joined: November 4th, 2002, 10:47 pm
- Location: Ann Arbor, Michigan
- Contact:
-
- Posts: 2158
- Joined: December 22nd, 2004, 11:47 am
-
- Posts: 2158
- Joined: December 22nd, 2004, 11:47 am