Open Bug 1714565 Opened 5 months ago Updated 3 months ago

Status bar URL spoofing without Javascript (using IDN whole-script confusables)


(Core :: DOM: Core & HTML, defect, P2)




Tracking Status
firefox91 --- wontfix
firefox92 --- affected


(Reporter: nowasky.jr, Unassigned)



(Keywords: csectype-spoof, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

POC: data:text/html,<form action= method=post><a href=><input type=submit style=all:unset value=>

Spoofing the URL shown in the status bar when hovering a link is a well-known case when using Javascript and probably cannot be fixed without breaking websites.

Users that want to avoid this behavior end up using browser extensions or disabling Javascript altogether.

This report shows how the status bar can be spoofed without using Javascript by using a form and an anchor tag. This can be abused to perform phishing attacks against the user base previously described.

The POC shows a link pointing to that will lead to https://mozı (note the 'ı' that is not converted into punnycode) to make the attack more convincing.

Flags: sec-bounty?

This is the same as Thunderbird bug 1470673. I couldn't find a Firefox equivalent, but of course there should be one since they share the browser engine that's responsible for this behavior. Unless we find that dupe this can stand in for it. It doesn't need to be hidden since the other one is public.

Group: firefox-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
See Also: → 1470673
Ever confirmed: true
Severity: -- → S2
Type: task → defect
Priority: -- → P2
See Also: → 1507582, 1332714
Summary: Status bar URL spoofing without Javascript → Status bar URL spoofing without Javascript (using IDN whole-script confusables)
You need to log in before you can comment on or make changes to this bug.