Open Bug 1470673 Opened 4 years ago Updated 1 year ago

HTML email hover over URL spoof

Categories

(Thunderbird :: Security, defect)

52 Branch
defect
Not set
normal

Tracking

(Not tracked)

People

(Reporter: pontus.keskipukkila, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: DUPEME)

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180507144241

Steps to reproduce:

A link in a HTML email can be constructed so that when the recipient hovers over an URL, the URL resolver at the bottom left corner will show a different URL than where the URL really leads when click on. 

A phishing email might contain the following code to spoof an URL:

<form action="https://sadurl.com">
    <a href="https://happyurl.com">
        <input type="submit" value="Link">
    </a>
</form>

Attached is a video demonstrating the bug.


Actual results:

The included example will show the domain happyurl.com when hovered over, but will resolve to badurl.com in the browser when clicked on.


Expected results:

Hovering over a link should show the same URL as where the browser resolves to.
This would almost certainly have to be fixed in the Gecko engine shared with Firefox -- unless Thunderbird wants to forbid form submission from emails entirely (which it probably should).
Status: UNCONFIRMED → NEW
Ever confirmed: true
This method, with slight modifications was tested working in Firefox, Chrome, Edge and IE. Thunderbird however, was the only email client I tested where this works. I thought it was not worth to report as vulnerability in web browsers, because the same functionality could be achieved with Javascript.
Assuming the "scam detection" feature is turned on (it is by default). This issue is partially fixed in bug 1249562. On Daily, an email containing the HTML in comment 0 is marked as a potential scam upon opening it. If you then try to click on the link, it asks if you want to visit sadurl (rather than happyurl).

So a lot of the security risk is mitigated in this regard. However:

1) It would still be nice if hovering over the buton displayed the correct link. --> This is a gecko problem
2) It would be better if form submissions didn't work at all, as Daniel mentioned. In comment 12 of bug 1249562 Magnus said that we don't allow form submissions, but it seems like we still do in my testing. Requesting needinfo for Magnus to clarify.
Flags: needinfo?(mkmelin+mozilla)
Yeah we don't support submitting forms. If you have a case where it works, please file another bug.

What you're seeing is, that when someone clicks a form, we send them to the action url of the form (NOTE, different from submitting any input data), since if it's actually a real well designed form that would allow the user to fill in the form in the context of the browser where he can take normal precautions. 

What I'd like to do is that for the form case, we inform the user that

  To keep you safe, Thunderbird doesn't allow filling in forms embedded
  in mails. Would you like to fill in the form in the browser?

                                              [Open in browser] [Cancel]


The code is around here: https://dxr.mozilla.org/comm-central/rev/e5e1510b8d914bfa8439b21ba3f73e4f2e83e957/mail/base/content/contentAreaClick.js#40
Group: mail-core-security
Flags: needinfo?(mkmelin+mozilla)
Whiteboard: DUPEME
See Also: → 1714565
You need to log in before you can comment on or make changes to this bug.