Closed Bug 1324153 Opened 4 years ago Closed 4 years ago

Address bar spoofing on android and ios firefox


(Firefox for Android :: General, defect)

Not set





(Reporter: ahmedmehtab009, Unassigned)



(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce:

Hi ,

I have just found a technique to spoof address bar on firefox web browser based on Android and IOS. This is a serious Address bar spoofing vulnerability which affects almost all the versions including the latest firefox version on android and ios.

Proof Of Concept :-
We know that on android address bar is short as compared to on desktop. So i have figured out a technique which could be used by an attacker to spoof address bar / url by creating a long sub-domain such as if an attacker creates a long sub domain ring e.g : " " now the real host / url is however attacker have created long sub domains     of that host and once a user visit that long sub-domain " " using firefox on android , firefox address bar will show you the sub-domain till while ignoring the official host / url address which was on the right side due to long address. 

This shows a proof of concept how attacker can use this technique to spoof address bar on android and same applies on IOS as well.

Steps to reproduce :-
1- Open " " in firefox on android 
2- Check the address bar which is showing you the sub domain till while ignoring the official address.

This poc could be used by any attacker to spoof the address bar and i hope everything is clear now.

Possible solution :-
1- You can use a simple solution by which is address exceeds the address bar firefox should popup a warning message that you are visiting this url which could be malicious.

2- While other solution is that you can display a long url / address in such a way which is justified such as by showing dots to give reference to sub domain while showing the official url e.g : when user clicks on address bar firefox should display the full address

I have also attached some pictures for a reference.
This has been reported earlier (bug 1236431). The solution we implemented back then (only showing public suffix + 1 of the URL) was later backed out again (bug 1268753). There's a new proposal in bug 1271998 but this hasn't been implemented so far.
As you mentioned that The solution we implemented back then which dose not seems patched. I do think this report should be highlighted
Although we haven't managed to address the problem sufficiently, we do already know about it and are working on it in bug 1271998. Mobile UX is nothing but compromises everywhere :-(
Group: firefox-core-security
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1236431
Ok , means this wont qualify for a bug bounty program
You need to log in before you can comment on or make changes to this bug.