Signing In Informations can be send to attacker site without showing URL of phishing site of attacker and instead of URL, about:blank is shown and real site title is showing




2 years ago
2 years ago


(Reporter: Muhammad Tahir, Unassigned)


48 Branch

Firefox Tracking Flags

(Not tracked)



(1 attachment)



2 years ago
Created attachment 8778182 [details]
This is winrar archive which contains video of Proof of concept and HTML File which is used to exploit.

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160726073904

Steps to reproduce:

I have open This URL and clicked on link then It opens new tab and then Phishing of G mail opens which I made for testing bug, The address of phishing is not showing and instead of URL there is title of google and about:blank then I enter my Login and password information and submit then these informaton are sending to my Example site: through post method and then information can be stolen. I am attaching script to test for yourself and Video Thanks.

Actual results:

login informations are sending to my testing site where these informations can be stoled and and user can be reditect to real web without awaring and seeing URL.

Expected results:

Software (Firefox) should be open new tab of phishing If It opens then It should showing URL of Page instead of about:blank and when submit It also alert of phishing or It at least should show URL of site which stealing their informations.

Comment 1

2 years ago
What you're really doing is:

var foo =''); // opens about:blank under control of the "attacker"
foo.document.body.innerHTML = "<title>Gmail</title>... more HTML here.";

So showing about:blank is correct. Other browsers behave the same way. We show the title because you have a <title> tag in the HTML.
Group: firefox-core-security
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.