This issue was reported after the Security review of XBL, jag asked me to make a
bug out of the issue.
About a easy as it is to spoof the rest of the UI.
I think tabs are easier to spoof, because they appear in what appears to be the
content area. I could serve you a frameset document where the upper frame is an
exact(?) replica of the real tabs interface, and the lower frame is web content.
I'll attach a testcase.
A worst case scenario: a user would drag their bank's URL from the personal
toolbar to the "tab" area, the page would trap the drop (is this possible?) and
instead of going to the real bank's page they would go to a replica. The URLbar
would still be wrong, but if the user dragged a URL they knew was right they
might not check... Hmmm, I just realized this is not tab specific scenario: if
you can trap the drop, any page could do this.
Created attachment 104876 [details]
Created attachment 104877 [details]
Created attachment 104878 [details]
Created attachment 104879 [details]
Created attachment 104880 [details]
I think it is easier to spoof the tabs than the personal toolbars etc.
Before opening this testcase please make sure you have no tabs visible in the
current window. Also, this testcase uses just an image, so when you open it
please resize your window width so that the top frame fills the area exactly
and that there is no background to the right visible. I could have made this so
it would not have mattered what width your browser window was.
The scenario here is that someone comes in, sees some legitimate content in the
first "tab", then wants to go somewhere else, notices they have "already
opened" a "tab" to some familiar site and click that. The click will take them
to a spoofed site that looks and acts like the real one. The URL is of course
different, but I argue that you are extremely unlikely to even check that.
I spoofed myself with this interface: I tried to attach this testcase using
this testcase :)
your spoof fails miserably here. i'm using newclassic (my other navigator is
littlemozilla, and i randomly flip between them). it'd actually be easier to
spoof tabs than toolbars because at least if you were spoofing classic you it
would spoof newclassic's tabs correctly, whereas in the case of toolbars the
look and feel is quite likely to vary by theme.
fwiw, i think tabbar appearance is generally more consistent across themes than
toolbar appearance, but again if you (the impersonator) bet wrong then it's
pretty clear to the user. this is actually a case for having two popular yet
server-indistinguishable browsers [n4/ie4, moz/n7] *(yes they are
distinguishable) where the user's look and feel is unpredictable.
roc mentioned a group researching a solution for this sort of thing in bug 22183.
This is actually a good case for always showing the tabbar (like Netscape does)
and making it harder to get rid of (something I'm contemplating).
I'm going to write a white paper on chrome spoofing, and try to encourage new,
innovative solutions and call for more research.
Cool. Could you mention in your whitepaper that any solution has to be able to
cope with scenarios as simple as the GIF screenshot I mentioned above, as well
as the more sophisticated exploits? Cheers.
I'm making this bug public because it's old and easy to discover.
So is this really a bug in the XBL impl as opposed to a bug in the chrome or the theme?
Doesn't look like it to me!
In fact, it's not even really a Core bug - any "fix" would be to a specific app, so I don't really know what to do with this bug.
Could file separate app-specific bugs on the affected apps...
Yeah, I think this is a per-app issue. Firefox 3.1, for instance, has the tab bar always visible, and therefore a spoof like this would look pretty out of place there.
I don't know the state of other consumers like Camino, and Seamonkey, but can we close this one and file on them as necessary?
To the extent that we're primarily concerned with Firefox this is FIXED because the tab bar is always shown (by default). Other apps could deal with this if it applies, and if users chose to hide the tab bar this spoof is a risk they take on (but they're probably safe due to "herd immunity": no spammer is going to bother trying this).