1292494 - Signing In Informations can be send to attacker site without showing URL of phishing site of attacker and instead of URL, about:blank is shown and real site title is showing

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[Muhammad Tahir]

Attachment: This is winrar archive which contains video of Proof of concept and HTML File which is used to exploit.

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160726073904

Steps to reproduce:

I have open This URL http://jsfiddle.net/dy4swq4o/show/ and clicked on link then It opens new tab and then Phishing of G mail opens which I made for testing bug, The address of phishing is not showing and instead of URL there is title of google and about:blank then I enter my Login and password information and submit then these informaton are sending to my Example site: attackersite.com through post method and then information can be stolen. I am attaching script to test for yourself and Video Thanks.


Actual results:

login informations are sending to my testing site attackersite.com where these informations can be stoled and and user can be reditect to real web without awaring and seeing URL.


Expected results:

Software (Firefox) should be open new tab of phishing If It opens then It should showing URL of Page instead of about:blank and when submit It also alert of phishing or It at least should show URL of site which stealing their informations.

Comment 1

[:Gijs (he/him)]

What you're really doing is:

var foo = window.open(''); // opens about:blank under control of the "attacker"
foo.document.body.innerHTML = "<title>Gmail</title>... more HTML here.";

So showing about:blank is correct. Other browsers behave the same way. We show the title because you have a <title> tag in the HTML.