1865924 - Critical Phishing Vulnerability in Firefox on iOS and Android due to URL Display Mechanism

Status: RESOLVED DUPLICATE of bug 1670725

(Fenix :: General, defect)

Description

[f.schmitt94]

This vulnerability was identified in Firefox for iOS (version 115.0) and Android (version 120.0), where its URL display behavior markedly differs from other browsers. While browsers like Chrome and Safari prioritize showing the main domain due to limited screen space, Firefox displays the entire URL from left to right. This flaw can be easily exploited for phishing by using deceptive and long subdomains (like 'the-official-bank-of-america-website.example.com'), which, due to screen size limitations, makes only the misleading subdomain visible, significantly increasing the risk of successful phishing attacks.
Reproduction involves accessing a URL with a lengthy subdomain on a regular iPhone or Android device, showing the potential for widespread exploitation.

I recently became aware of individuals who exploited this vulnerability during the COVID-19 pandemic by creating counterfeit negative COVID test result pages. These fraudulent pages, resembling authentic testing center websites with deceptive subdomains (e.g., 'covid-testing-center-example-town.example.com'), were used to bypass venue entry requirements. The exploitation of this vulnerability, undetected since at least mid-2020, showcases the significant threat it poses beyond traditional phishing campaigns.

Comment 1

[f.schmitt94]

Attachment: Firefox for Android screenshot

Comment 2

[f.schmitt94]

Attachment: Firefox for iOS screenshot

Comment 3

[:Gijs (he/him)]

Yes, we are aware of this issue for both iOS and Fenix (Firefox on android). There are some design as well as technical considerations so fixing it is not trivial, but I believe both teams are looking into how they might address this.