Closed Bug 1860399 Opened 11 months ago Closed 11 months ago

(Firefox Android) Url with long name in url bar ,Not displaying the original domain in the url bar leads to spoof

Categories

(Fenix :: General, defect, P3)

Product:
Fenix
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1670725

People

(Reporter: sas.kunz, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

video6170213187812592132.mp4
630.73 KB, video/mp4
Details
msg183539871-50549.jpg
16.05 KB, image/jpeg
Details

i found vulnerability on firefox android where Url addrees with long name on the url bar not displaying the original domain lead to spoof

step to reproduces

  1. create subdomain : (for example : loginss.accounts.google.com.mozilla.org
  2. open http://103.186.0.20/spoofingbarfirefox.html
  3. click on "LOGIN TO GOOGLE" link then on the url address bar only show https://loginss.accounts.google.com
Flags: sec-bounty?
Attached image msg183539871-50549.jpg
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Fenix
Flags: needinfo?(dveditz)

Bug 1629684 is a similar desktop. It's P3/S3 and has a sec-low rating.

Should we align the domain name in the address bar so the TLD is always visible?

Severity: -- → S3
Priority: -- → P3
Group: mobile-core-security
Status: NEW → RESOLVED
Closed: 11 months ago
Duplicate of bug: 1670725
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: