Spoofing the info bar is easy

VERIFIED DUPLICATE of bug 252257

Status

()

VERIFIED DUPLICATE of bug 252257
14 years ago
13 years ago

People

(Reporter: csthomas, Assigned: bugzilla)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

See the URL.  It's very easy to make a convincing spoof of the info bar.

(23:52:16) <bz> CTho: firefox security, for now.  cc me, dveditz, jruderman,
jst, I guess
(23:52:22) <bz> Ctho: and mconnor

Note that bug 270443 is adding the same thing to Seamonkey.
So we have three questions here:

1)  What is the danger in the info bar being spoofable?
2)  What can we do to mitigate said danger?
3)  What can we do to prevent the info bar being spoofed, if needed?

Thoughts so far:

1)  Sites can spoof plugin finder and other informational "dialogs".  Users may
    have more trust in infobar-alikes than in random other content.
2)  Not sure.
3)  The only thing I've thought of so far is putting the info bar somewhere
    where sites can't possibly make it appear.  Say between the menubar and the
    URL bar (or above the URL bar on the mac).  This has the obvious drawback of 
    not playing nice with tabbrowser.....

Comment 2

14 years ago
"Firefox has determined that this site is secure."

Possible Solutions:
Position Info Bar so that page cannot paint there, e.g. above tabs.
(Not completely safe for naive users.)

Bug was my idea, removing security flag per policy.
Group: security

*** This bug has been marked as a duplicate of 252257 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.