Closed Bug 1224906 Opened 4 years ago Closed 4 years ago
Address bar spoofing by userinfo field of URI
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.58 Safari/537.36 Steps to reproduce: Click following link by Firefox for iOS. <a href="https://email@example.com:8020">Launch Fake Google</a> Actual results: The URL shown in the location bar is "https://accounts.google.com%.." but the current page is "mallory.csrf.jp:8020". Expected results: The userinfo field in URI should be removed and current host name "mallory.csrf.jp:8020" should be shown in the location bar.
I made a PoC as follows and the attached is a screenshot when reproduced. https://mallory.csrf.jp/ios/spoofing.html
Not sure if the iOS version is part of the bounty program but nominating all the same
Does this reproduce on Safari for iOS?
It's not reproducible on Safari for iOS. When navigated to a URL with userinfo Safari blocks the loading and shows phishing site alert window as attached.
We should not be showing userinfo in the URL bar, this was a very old phishing technique. (search for old firefox security bugs about that). Even if we stop showing the userinfo, though, the restricted space allows for spoofing of the form "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to do about that.
Assignee: nobody → etoop
Status: NEW → ASSIGNED
Confirmed this is a bug that we will fix in Firefox.
Removes user info from the URL bar
Attachment #8691889 - Flags: review?(sarentz)
Comment on attachment 8691889 [details] [review] Pull request LGTM
Attachment #8691889 - Flags: review?(sarentz) → review+
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Which release are we tracking this for? 1.3 or 1.4?
I think this one is a 1.3 release as it's a security bug, but double check with :st3fan
(In reply to Daniel Veditz [:dveditz] from comment #5) > Even if we stop showing the userinfo, though, the restricted space allows > for spoofing of the form > "accounts.google.com.not.really.but.you.cant.see.this.com". Not sure what to > do about that. We do show all domain segments other than the baseDomain in grey. We ellipsize the end of the URL. So that would show as [grey]https://accounts.google.com.net.real…[/grey] which might be enough to tickle a user's spidey sense. On a big iPad it'd be [grey]https://accounts.google.com.net.really.but.you.cant.see.[/grey][black]this.com[/black]
(In reply to Stephan Leroux [:sleroux] from comment #9) > Which release are we tracking this for? 1.3 or 1.4? It's tracking 1.3. If a patch is done, tested, and landed, we should uplift it to v1.x.
Whiteboard: [needs uplift]
You need to log in before you can comment on or make changes to this bug.