Browser redirect with posting data with @ sign

RESOLVED INVALID

Status

()

Firefox
Address Bar
--
major
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Muhammad Tahir, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8787683 [details]
This is video file about bug

1.Open Mozilla Firefox
2.Type any website.com@otherwebsite.com
3.You will be redirected to otherwebsite.com with website.com post data and website after @ will open and can be used to trick user to redirect to pishing website or also can be used to produce CSRF like attack or can be used to post attacker custom form post data which is very high risk.
Video is attached
4.It should open search engine result like when we add text other than website url and search engine display results.
Or It should open mailto: instead of http:

Comment 1

2 years ago
As the video explicitly shows, we show the user a warning dialog detailing very carefully where they're going (otherwebsite.com, not website.com) and additionally, the data will not be used as POST data but as HTTP auth data, so no CSRF is possible. The website is also correctly highlighted in the location bar at all times.

This isn't a security vulnerability.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.