URL SPOOFING Vulnerability.

RESOLVED DUPLICATE of bug 656343

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 656343
8 months ago
8 months ago

People

(Reporter: u594133, Unassigned)

Tracking

55 Branch
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 months ago
Steps to reproduce the bug:

Demo: https://goo.gl/z20BNH

1)Go to this link and click on "Click me"

2) You'll be redirected to google.com and as soon as you'll be redirected to google.com the Pop-up will appear asking you for the username and password.
Flags: sec-bounty?
(Reporter)

Comment 1

8 months ago
The Bug works on all Operating systems: Windows, iOS, Android etc.
(Reporter)

Comment 2

8 months ago
Since I can not see the other details I provided.. Here they are:

Impact and Description: As soon as the victim will be redirected to google.com the Pop-up will appear asking the victim for the username and password making him believe  that it is the 'Trusted' website,  ( In this case, it is google.com but it can be literally any website. For instance, Microsoft.com, Gmail.com, Facebook.com, Paypal.com ) which is asking for Username and Password which in real is not. Instead it is the website of the attacker asking for victims details. 

Possible fix: The browser must update the address bar and hide the original document before showing the prompt.
Flags: needinfo?(rayyanh12)
(Reporter)

Updated

8 months ago
Flags: needinfo?(rayyanh12)
Are you reporting a vulnerability in a website or in firefox?
(Reporter)

Comment 4

8 months ago
Firefox
(Reporter)

Updated

8 months ago
Group: websites-security → firefox-core-security
Component: Other → Security
Product: Websites → Firefox
Version: unspecified → 55 Branch

Comment 5

8 months ago
Please look for duplicates when filing bugs, especially when filing bugs that are published on public websites like lcamtuf.coredump.cx . This is a well-known issue.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → DUPLICATE
Whiteboard: [reporter-external] [web-bounty-form] [verif?]
Duplicate of bug: 656343
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.