Phishing with XUL: demonstration of address bar spoofing

Discussion of general topics about Mozilla Firefox
Posts: 727
Joined: July 7th, 2004, 10:52 am

Post Posted July 31st, 2004, 11:10 pm

How about adding a colored border strip around the four sides of any window that does this? This wouldn't interfere with the usefulness of such windows, but would very easily distinguish such windows from normal windows, which is what the scam relies on -- fooling the user into thinking it's a normal window.

Posts: 727
Joined: July 7th, 2004, 10:52 am

Post Posted July 31st, 2004, 11:28 pm

And from this thread ... 5&start=15 there is another very good suggestion.

Insurgent wrote:This is a vulnerability though it's also a useful capability.
I think the easiest solution is just like what has been done with applet windows since forever. Any detached window should be marked with "Warning: XUL Application window" on a non-hideable, non-coverable bar at the top/bottom.
I also think that any bugs still marked "confidential" need to be adressed and made public before the final 1.0 release. Keeping them confidential while they are being fixed is one thing, but 5 years...either it's a vulnerability or it not, but don't keep it secret for 5 years. That's the MS way and I feel it's very unbecoming of the Moz team and will cause people to rapidly lose confidence in them.
The rapid response to the Shell: problem was excellent and confidence inspiring. This is not.

Emphasis mine.


User avatar
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post Posted August 1st, 2004, 12:28 am

it doesn't use chrome. it uses javascript to hide the real chrome, then implements fake chrome using either XUL or HTML, depending on which example you're talking about. hmm, i just came up with another possible solution that doesn't involve removing features or adding yet another complication to viewing simple webpages. how about displaying a tooltip on form submit buttons that shows you the URL that the form is submitted to? it would also have to indicate if there's any onClick handler, obviously.

Posts: 1293
Joined: December 22nd, 2002, 5:32 am
Location: Dundee, Scotland

Post Posted August 1st, 2004, 2:07 am

It can't override the OS chrome though can it? Therefore if all XUL application windows have their normal titles overridden by the warning it should work.


User avatar
Posts: 8
Joined: May 4th, 2004, 4:21 pm
Location: Spain, Madrid

Post Posted August 10th, 2004, 2:06 am

Mozilla Press Release wrote:Firefox, the Mozilla Foundation's first product squarely aimed at end users, <a href="">[bla bla]</a>

So that's grandma , isn't it? Firefox it's a great browser not only for geeks, developers and that kind of super tech people. It's for every body. Kids, Bussiness man, your neighbor, G.W.Bush, anyone.
Firefox is just a browser, not a suite or a runtime to run cool XUL application, even it could. But this seems not to be as secure as we all wish, for grandma. So let's disable until we are 100% secure that no bad guy will use in it's own benefit.
One great goal of Firefox, and Mozilla is that they follow the W3C standars, so thats HTML, XHTML, XML, CSS, DOM, etc. But is XUL a standard? Is really necesary to view XUL applications in our browser by default?.
Maybe the best solution to this security issue, as has been sugested, is a whitelist of sites that can use XUL. So those who developed XUL applications can still be runned. Also a Sandbox for XUL it's also a great idea but, maybe more complicated to see in the Firefox milestone.
Obviously you still have to keep yours eyes open for sphifing. But we shouldn't easier things to the bad guys. So lets give grandma a secure Firefox for banking or shopping. And even she accepts XUL but mistake lets make the difference so that when it runs XULs that she can even notice that a bad guy is trying to steal her purse.


User avatar
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted August 10th, 2004, 7:27 am

AnonEmoose wrote:----->Begin Rant<----
this issue is SOOOO overblown... anyone can fake a site, and make it look real; it's the nature of the Internet and ALL people (yes people, not the browser) need to be more aware..... You DO look all ways before crossing an intersection... Don't You??
----->End Rant<------

If you want to verify your location, just use this bookmarklet to verify the page location in your addressbar matches the page you are viewing...
Code: Select all
javascript:alert(%22The actual URL is:\t\t%22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is:\t\t%22 + location.href + %22\n%22 + %22\nIF the above SERVER names do NOT match EACH other; OR, if they do NOT match the Address in the Location Bar, this MAY be a SPOOF.%22);

credit: Jesse Ruderman (if I can recall correctly)

I've been using a bookmarklet like this for a while. However, my bookmarks toolbar (where I conveniently have the bookmarklet) was hidden on the spoof page. So I created an extension to add it to my context menu. Now I can always click it and I don't even have to worry about bookmarks. Based on AnonEmoose's suggestion, I added a toolbar button for it also. I'm sure some people prefer a toolbar button over a context menu, and it's also one more thing to make you realize you're not really looking at your browser's toolbar. Since it's an extension rather than just a bookmark, it works even with Javascript disabled too.

VerifyURL -

This might be a good security measure for newbs that we setup with Firefox. Get them in the habit of checking it when something seems fishy, and they're more likely to notice the altered UI too.

Posts: 8
Joined: June 17th, 2004, 4:28 am

Post Posted August 10th, 2004, 12:07 pm

Well i tried the sites with 0.9.3 and it worked pretty well except the for the nightlies which showed the yellow bar. Two things i noticed...the spoof didnt work in tabs ( they wouldnt display anything) and after installing the spoofstick extension it also gave it away...any comments on this two items ?

Posts: 6
Joined: February 22nd, 2004, 8:29 am

Post Posted August 17th, 2004, 10:47 am

I thougth last version of Firefox (0.9.3 in French) was about to solve this problem but when I tried the "spoof test" again with 0.9.3, when I click on the "security icon" on the bottom left of the screen, it still tells me "this is a verified secure website" !!

What's going on ?


User avatar
Posts: 3453
Joined: May 22nd, 2003, 3:51 pm
Location: NGC 2403

Post Posted August 17th, 2004, 11:03 am

Return to Firefox General

Who is online

Users browsing this forum: No registered users and 1 guest