If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Security Issue: False URL exploit

VERIFIED DUPLICATE of bug 228176

Status

Camino Graveyard
General
VERIFIED DUPLICATE of bug 228176
14 years ago
14 years ago

People

(Reporter: Gregory Mendez, Assigned: Mike Pinkerton (not reading bugmail))

Tracking

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031208 Camino/0.7+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6b) Gecko/20031208 Camino/0.7+

News Services are publishing info about a new Internet Explorer Browser exploit.
This exploit allows a webpage to show a link to a site and when the user mouse
over the website, it shows a falsified web site domain name, not the page it is
going to take you to if you click on it.


So someone could go out and create a website that looks like, for example,
Citibank and send mass e-mails in html that would tell everyone to log in to the
Citibank site for some reason like new services or something. You mouse over the
link and see it says http://www.citibank.com/special-offer.html in the browser
at the bottom so you are confident it will take you directly to their site. You
click the link and you are suddenly on a page that looks like citibank's and it
asks you for your account number and pin which you enter and now you are victim
of identity theft...

Reproducible: Always

Steps to Reproduce:
1. Go to example website
2. hover cursor over url provided
3. look at status bar
4. click the link and see that you do not go to the link displayed in the status
bar. (checking the "prevent sites from changing status bar or window
size/postion" does not function in these cases)

Actual Results:  
The link takes you to a site other than that displayed in the status bar

Expected Results:  
when you have the option in preferences "prevent sites from changing status bar
or window size/postion" checked the browser should have displayed the correct
url in the status bar rather than the fake url.

Comment 1

14 years ago
This bug is a duplicate of Bug 228176.

*** This bug has been marked as a duplicate of 228176 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Comment 3

14 years ago
V: dupe.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.