Last Comment Bug 177643 - Lone tab can spoof tab bar (make it look like there are multiple tabs)
: Lone tab can spoof tab bar (make it look like there are multiple tabs)
Product: Core
Classification: Components
Component: General (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2002-10-30 23:17 PST by bsharma
Modified: 2011-08-05 14:12 PDT (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

tabs (16.25 KB, image/jpeg)
2002-11-01 12:04 PST, Heikki Toivonen (remove -bugzilla when emailing directly)
no flags Details
tabs html (73 bytes, text/html)
2002-11-01 12:04 PST, Heikki Toivonen (remove -bugzilla when emailing directly)
no flags Details
bottom html (31.79 KB, text/html)
2002-11-01 12:05 PST, Heikki Toivonen (remove -bugzilla when emailing directly)
no flags Details
tabs html (127 bytes, text/html)
2002-11-01 12:06 PST, Heikki Toivonen (remove -bugzilla when emailing directly)
no flags Details
testcase (327 bytes, text/html)
2002-11-01 12:13 PST, Heikki Toivonen (remove -bugzilla when emailing directly)
no flags Details

Description bsharma 2002-10-30 23:17:26 PST
This issue was reported after the Security review of XBL, jag asked me to make a
bug out of the issue.
Comment 1 jag (Peter Annema) 2002-10-31 19:10:17 PST
About a easy as it is to spoof the rest of the UI.
Comment 2 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 11:51:26 PST
I think tabs are easier to spoof, because they appear in what appears to be the
content area. I could serve you a frameset document where the upper frame is an
exact(?) replica of the real tabs interface, and the lower frame is web content.
I'll attach a testcase.

A worst case scenario: a user would drag their bank's URL from the personal
toolbar to the "tab" area, the page would trap the drop (is this possible?) and
instead of going to the real bank's page they would go to a replica. The URLbar
would still be wrong, but if the user dragged a URL they knew was right they
might not check... Hmmm, I just realized this is not tab specific scenario: if
you can trap the drop, any page could do this.
Comment 3 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 12:04:01 PST
Created attachment 104876 [details]
Comment 4 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 12:04:27 PST
Created attachment 104877 [details]
tabs html
Comment 5 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 12:05:02 PST
Created attachment 104878 [details]
bottom html
Comment 6 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 12:06:14 PST
Created attachment 104879 [details]
tabs html
Comment 7 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-11-01 12:13:27 PST
Created attachment 104880 [details]

I think it is easier to spoof the tabs than the personal toolbars etc.

Before opening this testcase please make sure you have no tabs visible in the
current window. Also, this testcase uses just an image, so when you open it
please resize your window width so that the top frame fills the area exactly
and that there is no background to the right visible. I could have made this so
it would not have mattered what width your browser window was.

The scenario here is that someone comes in, sees some legitimate content in the
first "tab", then wants to go somewhere else, notices they have "already
opened" a "tab" to some familiar site and click that. The click will take them
to a spoofed site that looks and acts like the real one. The URL is of course
different, but I argue that you are extremely unlikely to even check that.

I spoofed myself with this interface: I tried to attach this testcase using
this testcase :)
Comment 8 timeless 2002-11-01 13:19:42 PST
your spoof fails miserably here. i'm using newclassic (my other navigator is
littlemozilla, and i randomly flip between them). it'd actually be easier to
spoof tabs than toolbars because at least if you were spoofing classic you it
would spoof newclassic's tabs correctly, whereas in the case of toolbars the
look and feel is quite likely to vary by theme. 

fwiw, i think tabbar appearance is generally more consistent across themes than
toolbar appearance, but again if you (the impersonator) bet wrong then it's
pretty clear to the user. this is actually a case for having two popular yet
server-indistinguishable browsers [n4/ie4, moz/n7] *(yes they are
distinguishable) where the user's look and feel is unpredictable.

roc mentioned a group researching a solution for this sort of thing in bug 22183.
Comment 9 jag (Peter Annema) 2002-11-05 10:37:15 PST
This is actually a good case for always showing the tabbar (like Netscape does)
and making it harder to get rid of (something I'm contemplating).
Comment 10 jag (Peter Annema) 2003-03-06 15:55:43 PST
-> mitch
Comment 11 Mitchell Stoltz (not reading bugmail) 2003-04-10 16:37:48 PDT
I'm going to write a white paper on chrome spoofing, and try to encourage new,
innovative solutions and call for more research.
Comment 12 Hixie (not reading bugmail) 2003-04-16 11:01:03 PDT
Cool. Could you mention in your whitepaper that any solution has to be able to
cope with scenarios as simple as the GIF screenshot I mentioned above, as well
as the more sophisticated exploits? Cheers.
Comment 13 Jesse Ruderman 2005-07-29 16:35:42 PDT
I'm making this bug public because it's old and easy to discover.
Comment 14 Boris Zbarsky [:bz] 2007-01-03 19:09:51 PST
So is this really a bug in the XBL impl as opposed to a bug in the chrome or the theme?
Comment 15 :Gavin Sharp [email:] 2007-01-03 19:12:26 PST
Doesn't look like it to me!
Comment 16 :Gavin Sharp [email:] 2007-01-03 19:15:22 PST
In fact, it's not even really a Core bug - any "fix" would be to a specific app, so I don't really know what to do with this bug.
Comment 17 Boris Zbarsky [:bz] 2007-01-03 19:28:07 PST
Could file separate app-specific bugs on the affected apps...
Comment 18 Johnathan Nightingale [:johnath] 2009-01-12 08:36:20 PST
Yeah, I think this is a per-app issue.  Firefox 3.1, for instance, has the tab bar always visible, and therefore a spoof like this would look pretty out of place there.

I don't know the state of other consumers like Camino, and Seamonkey, but can we close this one and file on them as necessary?
Comment 19 Daniel Veditz [:dveditz] 2011-08-05 14:12:01 PDT
To the extent that we're primarily concerned with Firefox this is FIXED because the tab bar is always shown (by default). Other apps could deal with this if it applies, and if users chose to hide the tab bar this spoof is a risk they take on (but they're probably safe due to "herd immunity": no spammer is going to bother trying this).

Note You need to log in before you can comment on or make changes to this bug.