Firefox for Android Address Bar Spoofing with Long Subdomain
Categories
(Fenix :: General, defect)
Tracking
(Not tracked)
People
(Reporter: sourc7, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
On Firefox for Android when I visit URL with long subdomain, I notice the subdomain is shown instead of highlighting the main domain. On Chrome for Android the main domain is highlighted no matter how long the subdomain is.
When showing the subdomain, it possible to spoof the address bar using long subdomain, in example the long spoof subdomain is: login.microsoftonline.com.x300.local, then the address bar will only show login.microsoftonline.com (Tested on Pixel_4_API_33 on default configuration + trigger reader mode icon)
Updated•1 year ago
|
Reporter | ||
Comment 1•1 year ago
|
||
On my Xiaomi Mi 9T Android 11 on the address bar there are no fade out effect beside the reader icon, so it looks very convincing user is on https://account.microsoftonline.com
Tested on Firefox Nightly 2023-06-03T16:08:16.244921 and Firefox Beta 2023-05-26T05:48:27.374395
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•17 days ago
|
Description
•