Closed
Bug 991503
Opened 10 years ago
Closed 6 years ago
URL Spoofing when The URL is aligned to right in The Location Bar
Categories
(Firefox :: Address Bar, defect, P5)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mreagle0x, Unassigned)
Details
(Keywords: csectype-spoof, sec-low)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140331125246 Steps to reproduce: 1- Adjust(align) the URL in The Location Bar -in any opened tab- to right by clicking into The Location bar then press CTRL+Right Shift. 2- Open the attached test case(URL Spoofing.html) then click the button in it. Actual results: Firefox doesn't show the real domain name and shows a spoofed one(https://www.mozilla.org) instead.. Note: It's right that the URL is aligned to left by default in Firefox but it's not that hard for a malicious website to ask/convince users to align the URL in the location bar to right for any fake legitimate reason. Also it's easy for an attacker to perform the attack using a domain name that has a SSL(Secure Socket Layer) to spoof the SSL icon(the small lock icon) that appears for the secure connections. Expected results: Firefox must show the real domain name regardless the adjustment of the URL in The Location Bar..(Which is the actual behavior in Internet Explorer 11 -while the other web browsers such Chrome/Chromium, Safari and Opera don't support aligning the URL to right).
Component: Untriaged → Location Bar
Keywords: csectype-spoof
Comment on attachment 8401115 [details] URL Spoofing.html <html> ><button onclick="document.location.href = 'http://www.example.com/https://www.mozilla.org/XxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXXXXXxxxxxxxxxxxxxxxxXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXxxxxxxxxXxxxxxUUxxxxxxxxxxxxx'">Go to Mozilla.org</button> ></html>
(In reply to Ahmed Elsobky (@MrEagle0x) from comment #2) > Comment on attachment 8401115 [details] > URL Spoofing.html I have added some more characters to the URL to make it accurate on a fresh installation of Firefox that has no Add-ones, so the code in #2 is the testcase now..
Given that this requires both the user to change the url bar from the default of left adjusted and to click on locations controlled by an attacker this is a sec-low at best (if at all). This requires lots of actions by the user and if I can get a user to do this I can likely get them to do much worse things. In all likelihood this is a wontfix, I also see no reason to keep this bug hidden as
(In reply to Curtis Koenig [:curtisk] from comment #4) > Given that this requires both the user to change the url bar from the > default of left adjusted and to click on locations controlled by an attacker > this is a sec-low at best (if at all). This requires lots of actions by the > user and if I can get a user to do this I can likely get them to do much > worse things. > > In all likelihood this is a wontfix, I also see no reason to keep this bug > hidden as I agree with you that this is a low risk issue and it requires somehow a lot of interaction but as you know that the guidelines of security measures tell users not to download files from untrusted websites(domains) and not to visit suspicious domains..etc but these guidelines don't tell users not to align the URL to right or not to click a link/button! then from a non-suspicious action, they will fall into the trick! So I don't agree with you that this could considered as a WONTFIX or that this is a very very low risk.. I think that this should(or must) be fixed..
Updated•10 years ago
|
Flags: firefox-backlog+
Updated•10 years ago
|
Flags: firefox-backlog+ → firefox-backlog-
Updated•10 years ago
|
Keywords: csectype-spoof,
sec-low
Updated•6 years ago
|
Priority: -- → P5
Comment 7•6 years ago
|
||
I honestly don't understand the first step here. I suspect it was already working properly before, at least from where we added url hilight. We were already setting the selection to 0 to ensure the host visibility, it will probably now happen more consistently. The only case where I can see this happening is if you focus the urlbar and align the fake domain manually, but as soon as you blur, domain hilight kicks in and we realign to 0. Anyway, it looks like WFM for the blur case and WONTFIX for the focus case.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mak77)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•