Closed Bug 1860399 Opened 8 months ago Closed 8 months ago

(Firefox Android) Url with long name in url bar ,Not displaying the original domain in the url bar leads to spoof

Categories

(Fenix :: General, defect, P3)

Product:
Fenix
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1670725

People

(Reporter: sas.kunz, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

video6170213187812592132.mp4
630.73 KB, video/mp4
Details
msg183539871-50549.jpg
16.05 KB, image/jpeg
Details

i found vulnerability on firefox android where Url addrees with long name on the url bar not displaying the original domain lead to spoof

step to reproduces

  1. create subdomain : (for example : loginss.accounts.google.com.mozilla.org
  2. open http://103.186.0.20/spoofingbarfirefox.html
  3. click on "LOGIN TO GOOGLE" link then on the url address bar only show https://loginss.accounts.google.com
Flags: sec-bounty?
Attached image msg183539871-50549.jpg
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
Flags: needinfo?(dveditz)

Bug 1629684 is a similar desktop. It's P3/S3 and has a sec-low rating.

Should we align the domain name in the address bar so the TLD is always visible?

Severity: -- → S3
Priority: -- → P3
Group: mobile-core-security
Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1670725
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: