Closed Bug 1549903 Opened 6 years ago Closed 6 years ago

"Inception bar" phishing

Categories

(Firefox for Android Graveyard :: Toolbar, defect)

Product:
Firefox for Android Graveyard
Component:
Toolbar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(geckoview66 unaffected, firefox-esr60 unaffected, firefox66 unaffected, firefox67 unaffected, firefox68 unaffected)

Status:
VERIFIED INVALID
Tracking Flags:
Tracking Status
geckoview66 --- unaffected
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected

People

(Reporter: csheany, Unassigned)

Details

User Agent: Mozilla/5.0 (Android 7.1.1; Tablet; rv:68.0) Gecko/68.0 Firefox/68.0

Hello, thanks for your report.
I may understand your problem. Can you confirm that my findings are the same as yours?

After opening this page and scrolling a little, the URL bar disappears for a sec and reappears with a Chrome bar under him. For this behavior it's your ticket?

Flags: needinfo?(csheany)

Thank you for your response.

The issue was demonstrated by the website itself using Chrome.

This is about Firefox's toolbar potentially being spoofed.

Flags: needinfo?(csheany)

Firefox does not appear to be susceptible to the phishing technique described on that page. As soon as the fake URL bar appears, the real one re-appears as well. Even after further scrolling, the page does not succeed in trapping the user in a state where the real URL bar cannot be shown.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: General → Toolbar
Resolution: --- → INVALID

Thank you Botond! :)

It was reported by that developer as a use case.

The link was to provide background/ context.

It might not be in the wild yet but that is not to say it won't.

Flags: needinfo?(botond)

My statements in comment 4 are based on testing the webpage in comment 1. That page is intended to be a demonstration of how a page can trap a browser in a state where the real URL bar is permanently hidden.

However, based on my testing, the page does not succeed at this, at least not in Firefox. So, there is no evidence of a Firefox bug here.

Flags: needinfo?(botond)

Because the fake is Chrome but Firefox is dynamic as well but it hasn't been exploited.

Don't add random people to bugs' CC lists.

(In reply to csheany from comment #7)

Because the fake is Chrome but Firefox is dynamic as well but it hasn't been exploited.

Obviously, I took into account the fact that the site could change the visual appearance of the fake URL bar to be like Firefox's rather than Chrome's.

The reason I say Firefox doesn't seem to be susceptible is because of the behaviour: during my testing, at all times I could either also see the real URL bar, or easily bring it onscreen with a small amount of scrolling. There was no getting "trapped" in the state where the real URL bar was hidden.

I guess I would rather be safe than sorry

  1. What Gijs said in comment 8
  2. If you're going to continue file bugs, please follow the bug report writing guidelines.
  3. Unlike Chrome we actually protect against this exploit. If you can build a version of this exploit that works against Firefox please file a security bug with a proof of concept. Otherwise you're just wasting everyone's time.
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.