Status

()

Firefox
General
--
major
VERIFIED DUPLICATE of bug 279099
13 years ago
13 years ago

People

(Reporter: Colin Dix, Assigned: Blake Ross)

Tracking

1.0 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

  	 All Browsers But IE At Risk To New Spoofing Scheme

By TechWeb News

A newly uncovered vulnerability in most browsers can allow hackers to spoof the
URL displayed in the address bar and the SSL certificate, a security firm warned
Monday. The one exception? Microsoft's Internet Explorer.

Danish security company Secunia posted an alert describing the vulnerability --
which affects Mozilla, Firefox, Safari, Opera, and Konqueror -- as a "moderately
critical" problem.

The vulnerability impacts every browser built atop the open-source Geko browser
kernel -- nearly all except IE -- because of a flaw in handling International
Domain Names (IDN). Hackers can register domain names with certain international
characters that resemble other commonly-used characters, said Secunia, to spoof
the address and trick the user into thinking they're at a legitimate site and/or
it's secured by SSL.

Such spoofing vulnerabilities are typically exploited by phishers who try to
dupe users into divulging financial information at bogus Web sites that resemble
real-life banking, credit card, or retail sites.

The vulnerability has been confirmed in the latest version of Firefox, v. 1.0,
as well as in Mozilla 1.7.5, Opera 7.54u1, Opera 7.54u2, Safari 1.2.4, Konqueror
3.2.2, and Netscape 7.2. Other editions of these browsers, however, may also be
at risk, said Secunia, which posted an online test on its Web site.

Currently, none of the vendors have provided fixes for the flaw. 

Reproducible: Always

Actual Results:  
  	 All Browsers But IE At Risk To New Spoofing Scheme

By TechWeb News

A newly uncovered vulnerability in most browsers can allow hackers to spoof the
URL displayed in the address bar and the SSL certificate, a security firm warned
Monday. The one exception? Microsoft's Internet Explorer.

Danish security company Secunia posted an alert describing the vulnerability --
which affects Mozilla, Firefox, Safari, Opera, and Konqueror -- as a "moderately
critical" problem.

The vulnerability impacts every browser built atop the open-source Geko browser
kernel -- nearly all except IE -- because of a flaw in handling International
Domain Names (IDN). Hackers can register domain names with certain international
characters that resemble other commonly-used characters, said Secunia, to spoof
the address and trick the user into thinking they're at a legitimate site and/or
it's secured by SSL.

Such spoofing vulnerabilities are typically exploited by phishers who try to
dupe users into divulging financial information at bogus Web sites that resemble
real-life banking, credit card, or retail sites.

The vulnerability has been confirmed in the latest version of Firefox, v. 1.0,
as well as in Mozilla 1.7.5, Opera 7.54u1, Opera 7.54u2, Safari 1.2.4, Konqueror
3.2.2, and Netscape 7.2. Other editions of these browsers, however, may also be
at risk, said Secunia, which posted an online test on its Web site.

Currently, none of the vendors have provided fixes for the flaw.

Updated

13 years ago
Assignee: general → firefox
Component: Bugzilla-General → General
Product: Bugzilla → Firefox
QA Contact: default-qa → general
Summary: Spoof URL → Spoof URL
Version: unspecified → 1.0 Branch

Comment 1

13 years ago
Problem is known, we don't need another report.

*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.