Closed
Bug 1292494
Opened 8 years ago
Closed 8 years ago
Signing In Informations can be send to attacker site without showing URL of phishing site of attacker and instead of URL, about:blank is shown and real site title is showing
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: tahir.vb.net, Unassigned)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160726073904 Steps to reproduce: I have open This URL http://jsfiddle.net/dy4swq4o/show/ and clicked on link then It opens new tab and then Phishing of G mail opens which I made for testing bug, The address of phishing is not showing and instead of URL there is title of google and about:blank then I enter my Login and password information and submit then these informaton are sending to my Example site: attackersite.com through post method and then information can be stolen. I am attaching script to test for yourself and Video Thanks. Actual results: login informations are sending to my testing site attackersite.com where these informations can be stoled and and user can be reditect to real web without awaring and seeing URL. Expected results: Software (Firefox) should be open new tab of phishing If It opens then It should showing URL of Page instead of about:blank and when submit It also alert of phishing or It at least should show URL of site which stealing their informations.
Comment 1•8 years ago
|
||
What you're really doing is: var foo = window.open(''); // opens about:blank under control of the "attacker" foo.document.body.innerHTML = "<title>Gmail</title>... more HTML here."; So showing about:blank is correct. Other browsers behave the same way. We show the title because you have a <title> tag in the HTML.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•