Discussion of general topics about Mozilla Firefox
While there has been some discussion about phishing-type attacks before, nobody really seems to have done anything about them. (phishing: spoofing a real website to steal passwords and identities, see http://www.antiphishing.org.)
Meanwhile, this one discusses a change to FFX nightlies that makes the address bar turn yellow in the presence of a secure server. Well, it's a start... but it is by no means a panacea.
 Now it works with a nightly.
By using XUL, a phisher can spoof the address bar, the little lock down in the corner, and even the "Security Info" page that pops up when you double click on the lock. The worst part? It took me less than half a day to hack up the XULs to do this. A determined scam artist could do some amazing things if he wanted to spend a week on it.
We can't rely on users to make ANY configuration changes; Firefox must be secure by default. Furthermore, we can't rely on them to "just know" whether something looks a tiny bit off; it has to be painfully obvious. So, here's my question. How do we minimize the chance of a user getting phished?
Last edited by rat144 on July 19th, 2004, 5:00 pm, edited 2 times in total.
Although the first site did hide my navigation bar, that's about the only effect I noticed from those test sites, with our without my customized preferences.
The first page was an empty yellow screen with red border with the following text on it..
<menuitem label="&emptyItem.label;" disabled="true"/>
The second page looked like a paypal receipt page but the address bar text was not changed to spoof the paypal site, nor were there any indications that I was on a secure site in either link.
I am using a nightly build from just a couple days ago, btw.
When I try the first page in internet explorer it brings up a download prompt because it's an xul filetype.
Last edited by Lost User 49637 on July 19th, 2004, 5:39 am, edited 1 time in total.
Doesn't work for me i'm getting this:
XML Parsing Error: undefined entity
Line Number 822, Column 28: <menuitem label="&emptyItem.label;" disabled="true"/>
I agree with some of your thoughts though, we could for instance uncheck the option to allow sites to hide the statusbar, that would help a lot, although you say it doesn't.
Good job rat144, could I suggest (if you haven't already) that you file a bug about this issue at http://bugzilla.mozilla.org/ (preferably in the Browser product), I'm not sure how many developers actually read these forums.
p.s. Everyone else try it on the 0.9 milestone not the nightlies.
Yeah I hate stripped down windows that websites open. So I set all of the dom.disable_window_open_feature.* entries to true so I get fully functional windows.
http://kb.mozillazine.org/index.phtml?t ... ig_Entries#DOM.*
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.7) Gecko/20040707 Firefox/0.9.2 (French)
and its really scary. Even knowing there was a spoof somewhere, I still think the page COULD be real. Ok my toolbar icon is small, but I've already saw pages opened that changed it (maybe in ie? can't remember) so this site will fool me, and I consider myself a advance user... This is trully a security issue and should be corrected...
I agree that this looks like an issue with serious implications. Obviously this sort of functionality might be great for intranet applications of some sort, but is dangerous on the web. (See also: ActiveX...)
There are some other heuristics that Firefox could use when deciding whether to warn a user or not:
- address bar content differs from Page Info's URL
- type is application/vnd.mozilla.xul+xml yet the file was retrieved from a remote server
- password field in a form that is submitted to a non-secure domain
I didn't see the lock in corner (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1), but I doubt anyone I know would know the difference, unless they were using a different theme.
It is very frightening.
Could someone post a screen of what the first site looks like? I don't feel like uninstalling my nightly build just to get it to work properly.
rhaytana... I'd never fall for something like that, but that doesn't change the seriousness of an exploit like this that does need to be addressed. The site listed fools both internet explorer and firefox.
For this to work someone would have to be tricked into going to one of these sites though.. I'd hardly call it the end to online banking.
Last edited by Lost User 49637 on July 19th, 2004, 9:19 am, edited 1 time in total.
Well that's disturbing.
Well, thanks for verifying that it does in fact work. I was kinda wondering if it was just my machine. (Or my head -- it was kinda late.)
That being said, when I get a chance today, I'll make a version that works on the latest nightly. That way, I might be able to convince those folks at bugzilla that this is real.
And here's a screenshot of what it looks like on FFX 0.9.2 release. I shoulda attached that to begin with.
I don't think that the solution to this problem is a technical solution -- I think it's gotta be a creatitve solution. That's why I posted here. I was hoping you guys could come up with some fun scheme to prevent this. Maybe seeding every user profile with a random number that can't be read by a webpage, but somehow controls the colors or the appearance of secure websites. If John notices that every time he goes to a secure website, the status bar turns lime-green, then he'll be suspicious if it turns any other color. This works because bad guys *can't* read your preferences. ... I hope.
Good job rat144 I hope this gets fixed. Dangerous.
BTW it's really neat how real it looks!
Who is online
Users browsing this forum: Google [Bot], ndebord and 2 guests