This issue was reported after the Security review of XBL, jag asked me to make a bug out of the issue.
About a easy as it is to spoof the rest of the UI.
I think tabs are easier to spoof, because they appear in what appears to be the content area. I could serve you a frameset document where the upper frame is an exact(?) replica of the real tabs interface, and the lower frame is web content. I'll attach a testcase. A worst case scenario: a user would drag their bank's URL from the personal toolbar to the "tab" area, the page would trap the drop (is this possible?) and instead of going to the real bank's page they would go to a replica. The URLbar would still be wrong, but if the user dragged a URL they knew was right they might not check... Hmmm, I just realized this is not tab specific scenario: if you can trap the drop, any page could do this.
15 years ago
Created attachment 104880 [details] testcase I think it is easier to spoof the tabs than the personal toolbars etc. Before opening this testcase please make sure you have no tabs visible in the current window. Also, this testcase uses just an image, so when you open it please resize your window width so that the top frame fills the area exactly and that there is no background to the right visible. I could have made this so it would not have mattered what width your browser window was. The scenario here is that someone comes in, sees some legitimate content in the first "tab", then wants to go somewhere else, notices they have "already opened" a "tab" to some familiar site and click that. The click will take them to a spoofed site that looks and acts like the real one. The URL is of course different, but I argue that you are extremely unlikely to even check that. I spoofed myself with this interface: I tried to attach this testcase using this testcase :)
your spoof fails miserably here. i'm using newclassic (my other navigator is littlemozilla, and i randomly flip between them). it'd actually be easier to spoof tabs than toolbars because at least if you were spoofing classic you it would spoof newclassic's tabs correctly, whereas in the case of toolbars the look and feel is quite likely to vary by theme. fwiw, i think tabbar appearance is generally more consistent across themes than toolbar appearance, but again if you (the impersonator) bet wrong then it's pretty clear to the user. this is actually a case for having two popular yet server-indistinguishable browsers [n4/ie4, moz/n7] *(yes they are distinguishable) where the user's look and feel is unpredictable. roc mentioned a group researching a solution for this sort of thing in bug 22183.
This is actually a good case for always showing the tabbar (like Netscape does) and making it harder to get rid of (something I'm contemplating).
I'm going to write a white paper on chrome spoofing, and try to encourage new, innovative solutions and call for more research.
Cool. Could you mention in your whitepaper that any solution has to be able to cope with scenarios as simple as the GIF screenshot I mentioned above, as well as the more sophisticated exploits? Cheers.
I'm making this bug public because it's old and easy to discover.
So is this really a bug in the XBL impl as opposed to a bug in the chrome or the theme?
Doesn't look like it to me!
In fact, it's not even really a Core bug - any "fix" would be to a specific app, so I don't really know what to do with this bug.
Could file separate app-specific bugs on the affected apps...
Yeah, I think this is a per-app issue. Firefox 3.1, for instance, has the tab bar always visible, and therefore a spoof like this would look pretty out of place there. I don't know the state of other consumers like Camino, and Seamonkey, but can we close this one and file on them as necessary?
To the extent that we're primarily concerned with Firefox this is FIXED because the tab bar is always shown (by default). Other apps could deal with this if it applies, and if users chose to hide the tab bar this spoof is a risk they take on (but they're probably safe due to "herd immunity": no spammer is going to bother trying this).