Phishing with XUL: demonstration of address bar spoofing

Discussion of general topics about Mozilla Firefox
rat144
Posts: 6
Joined: July 19th, 2004, 2:49 am

Phishing with XUL: demonstration of address bar spoofing

Post by rat144 »

While there has been some discussion about phishing-type attacks before, nobody really seems to have done anything about them. (phishing: spoofing a real website to steal passwords and identities, see http://www.antiphishing.org.)

On this thread , the conclusion seems to be that everybody should go into about:config and set a bunch of javascript permission prefs. Or that you should just "know" a fake page from a real one. Yeah... new users love that kind of stuff.

Meanwhile, this one discusses a change to FFX nightlies that makes the address bar turn yellow in the presence of a secure server. Well, it's a start... but it is by no means a panacea.

These really aren't solutions to the current phishing problem. But, in fact, it gets worse. Because the status bar can be turned off in Javascript by default with FFX 0.9, phishing sites can be made to look *exactly* like the real thing. Don't believe me? Think it's impossible to spoof the location bar? I made a demo page. It's really scary; try it out.

[edit][edit] Now it works with a nightly.

By using XUL, a phisher can spoof the address bar, the little lock down in the corner, and even the "Security Info" page that pops up when you double click on the lock. The worst part? It took me less than half a day to hack up the XULs to do this. A determined scam artist could do some amazing things if he wanted to spend a week on it.

We can't rely on users to make ANY configuration changes; Firefox must be secure by default. Furthermore, we can't rely on them to "just know" whether something looks a tiny bit off; it has to be painfully obvious. So, here's my question. How do we minimize the chance of a user getting phished?

(No, class, the answer is not merely "prevent javascript from hiding the statusbar". That only goes so far; we need to think up a more foolproof way to establish positive website identity.)
Last edited by rat144 on July 19th, 2004, 5:00 pm, edited 2 times in total.
Lost User 49637
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Lost User 49637 »

Although the first site did hide my navigation bar, that's about the only effect I noticed from those test sites, with our without my customized preferences.

The first page was an empty yellow screen with red border with the following text on it..

<menuitem label="&emptyItem.label;" disabled="true"/>
---------------------------^

The second page looked like a paypal receipt page but the address bar text was not changed to spoof the paypal site, nor were there any indications that I was on a secure site in either link.

I am using a nightly build from just a couple days ago, btw.


When I try the first page in internet explorer it brings up a download prompt because it's an xul filetype.
Last edited by Lost User 49637 on July 19th, 2004, 5:39 am, edited 1 time in total.
User avatar
Shadow3333
Posts: 1761
Joined: November 5th, 2002, 5:22 am
Location: Amsterdam, Holland

Post by Shadow3333 »

Doesn't work for me :) i'm getting this:

XML Parsing Error: undefined entity
Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
Line Number 822, Column 28: <menuitem label="&emptyItem.label;" disabled="true"/>
---------------------------^

I agree with some of your thoughts though, we could for instance uncheck the option to allow sites to hide the statusbar, that would help a lot, although you say it doesn't.

edit:
too late :P
User avatar
Pike
Posts: 2293
Joined: August 10th, 2003, 12:12 pm
Location: UK
Contact:

Post by Pike »

Good job rat144, could I suggest (if you haven't already) that you file a bug about this issue at http://bugzilla.mozilla.org/ (preferably in the Browser product), I'm not sure how many developers actually read these forums.

p.s. Everyone else try it on the 0.9 milestone not the nightlies.
User avatar
polidobj
Posts: 3147
Joined: March 31st, 2004, 9:10 am
Location: Maryland USA - im in ur tinderbox, crashtesting ur firefox

Post by polidobj »

Shadow3333 wrote:Doesn't work for me :) i'm getting this:

XML Parsing Error: undefined entity
Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
Line Number 822, Column 28: <menuitem label="&emptyItem.label;" disabled="true"/>
---------------------------^

I agree with some of your thoughts though, we could for instance uncheck the option to allow sites to hide the statusbar, that would help a lot, although you say it doesn't.

edit:
too late :P


Yeah I hate stripped down windows that websites open. So I set all of the dom.disable_window_open_feature.* entries to true so I get fully functional windows.
http://kb.mozillazine.org/index.phtml?t ... ig_Entries#DOM.*
Brian J Polidoro - Today's bugs brought to you by Raid. :P
Windows7 - Firefox user since ~Feb 2002
big_gie
Posts: 153
Joined: August 29th, 2003, 7:00 am
Location: Montréal, Québec, Canada

Post by big_gie »

Using Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.7) Gecko/20040707 Firefox/0.9.2 (French)
and its really scary. Even knowing there was a spoof somewhere, I still think the page COULD be real. Ok my toolbar icon is small, but I've already saw pages opened that changed it (maybe in ie? can't remember) so this site will fool me, and I consider myself a advance user... This is trully a security issue and should be corrected...
Kylotan
Posts: 478
Joined: July 21st, 2003, 4:45 am
Location: Nottingham, UK
Contact:

Post by Kylotan »

I agree that this looks like an issue with serious implications. Obviously this sort of functionality might be great for intranet applications of some sort, but is dangerous on the web. (See also: ActiveX...)

Can there be a prompt or message box that comes up when Javascript attempts to create a window like that? It could have the short delay just as the extensions installation prompt does, and could tell the user exactly which web page created the window and which domain it is from, along with a short warning. There could be an option to 'always treat this domain as safe' so that anyone who is using this sort of thing legitimately will only get this message box once.

There are some other heuristics that Firefox could use when deciding whether to warn a user or not:
- address bar content differs from Page Info's URL
- type is application/vnd.mozilla.xul+xml yet the file was retrieved from a remote server
- password field in a form that is submitted to a non-secure domain
User avatar
krazykit
Posts: 177
Joined: January 4th, 2004, 8:22 pm

Post by krazykit »

I didn't see the lock in corner (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1), but I doubt anyone I know would know the difference, unless they were using a different theme.

It is very frightening.
Lost User 49637
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Lost User 49637 »

Could someone post a screen of what the first site looks like? I don't feel like uninstalling my nightly build just to get it to work properly.
rhaytana
Posts: 8
Joined: July 19th, 2004, 8:57 am

Post by rhaytana »

Unfortunately, this phishing example worked all too well with Firefox 0.9.2:

http://www.zapthedingbat.com/security/scriptinjection/

Adios online banking?
Lost User 49637
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Lost User 49637 »

rhaytana... I'd never fall for something like that, but that doesn't change the seriousness of an exploit like this that does need to be addressed. The site listed fools both internet explorer and firefox.

For this to work someone would have to be tricked into going to one of these sites though.. I'd hardly call it the end to online banking.
Last edited by Lost User 49637 on July 19th, 2004, 9:19 am, edited 1 time in total.
User avatar
shevegen666
Posts: 444
Joined: May 12th, 2004, 7:18 am

Post by shevegen666 »

annoying, yea
Molerat
Posts: 135
Joined: January 21st, 2004, 3:27 pm

Post by Molerat »

Well that's disturbing.
rat144
Posts: 6
Joined: July 19th, 2004, 2:49 am

thanks

Post by rat144 »

Well, thanks for verifying that it does in fact work. I was kinda wondering if it was just my machine. (Or my head -- it was kinda late.)

That being said, when I get a chance today, I'll make a version that works on the latest nightly. That way, I might be able to convince those folks at bugzilla that this is real.

And here's a screenshot of what it looks like on FFX 0.9.2 release. I shoulda attached that to begin with.

I don't think that the solution to this problem is a technical solution -- I think it's gotta be a creatitve solution. That's why I posted here. I was hoping you guys could come up with some fun scheme to prevent this. Maybe seeding every user profile with a random number that can't be read by a webpage, but somehow controls the colors or the appearance of secure websites. If John notices that every time he goes to a secure website, the status bar turns lime-green, then he'll be suspicious if it turns any other color. This works because bad guys *can't* read your preferences. ... I hope.
alcatraz52
Posts: 372
Joined: August 17th, 2003, 11:27 pm

Post by alcatraz52 »

Good job rat144 :) I hope this gets fixed. Dangerous.

BTW it's really neat how real it looks!
Locked