Closed
Bug 272323
Opened 20 years ago
Closed 19 years ago
Bookmark Keywords can look like uris: spoof or hijack risk?
Categories
(Firefox :: Bookmarks & History, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: willryan, Assigned: vladimir+bm)
References
Details
(Whiteboard: local exploit at best)
Attachments
(1 file)
|
11.13 KB,
image/png
|
Details |
What I was talking about in the bug filing.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 If someone can find a way to create a bookmark on someones computer with a certain keyword, for example, http://www.fakebankingsite.com with the keyword 'https://easyweb.tdcanada.com', they could potentially trick the user into thinking they are logging into their online banking, when they're in face entering their info into a spoofed banking site, in this example. Granted it's not the easiest feat, but still very possible on college computers, for example. Reproducible: Always Steps to Reproduce: 1. Bookmark a website. 2. Make the keyword for that bookmark something like 'https://easyweb.tdcanada.com'. 3. Type the url from step 2 into the address bar. Actual Results: When trying to access the easyweb online banking site, you'll instead be sent to the bookmarked pages website. Which, if the website is cloned correctly, could be used to trick people into providing all sorts of information, in my example, online banking details. Expected Results: I'd expect kaywords to be limited to a word or simple phrase, and not allow things like a secure URL or any other URL to be entered (eg. http://, https://, ftp://...) It should only allow keywords like 'banking' or the like.
|
||
Comment 2•20 years ago
|
||
Keywords can look like a URI, which could be used to hijack someone if you already had access to their machine. For the most part we assume if you're able to do that you've already breached the OS security and could do anything else you wanted. If the user is paying attention the location bar will switch to the real URI when the page is loaded. If an "https:" keyword leads to a non-secure site the user may notice the lack of the yellow highlight and lock icon. If it does lead to a secure site the real site name will be repeated in the status bar. Clearing security sensitive flag, not a remote exploit where hiding the details temporarily protects potential victims while we whip up a fix.
Group: security
Summary: Security Issue With Bookmark Keywords? → Bookmark Keywords can look like uris: spoof or hijack risk?
Whiteboard: local exploit at best
|
||
Comment 3•20 years ago
|
||
Vlad, is there any reason why we support non-alphanumeric characters? Arbitrary strings may not be necessary.
Assignee: vladimir → vladimir+bm
|
||
Comment 4•19 years ago
|
||
*** Bug 306929 has been marked as a duplicate of this bug. ***
|
||
Comment 5•19 years ago
|
||
Why this issue remains UNCONFIRMED since 2004? It shouldn't be closed?
|
|
||
Comment 6•19 years ago
|
||
If you had enough access to someone's machine to create a keyword bookmark (profile access) you could mess them up in many ways. The most directly equivalent to this (a simple setting) would be to set their proxy prefs to go through your machine--you could spoof all (non-secure) sites, not just the ones you had time to set bookmarks for (and pass through any others). With higher levels of access you could do a lot worse, of course.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 7•18 years ago
|
||
sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs, filter on "beltznerLovesGoats" to get rid of this mass change
QA Contact: mconnor → bookmarks
You need to log in
before you can comment on or make changes to this bug.
Description
•