Closed Bug 287307 Opened 20 years ago Closed 20 years ago

Spoofed URL from paypal not visible in status bar

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ericdere, Assigned: dveditz)

Details

(Whiteboard: [sg:fix] thunderbird only)

Attachments

(2 files)

testcase
567 bytes, text/html
Details
set tbird pref to match ff and suite
635 bytes, patch
mscott
: review+
mscott
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1

Received one of those spoof emails about my paypal account. Pointing to (not
clicking) the URL shows in the status bar:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run

In the source, you are probably redirected to
http://www.demo.i7solutions.co.uk/www.paypal.com/cgi-bin/webscr?cmd=_login-run.

The source of the email is (without the headers):

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">


<p align="left"></p>
<p align="left"></p>

<frame src="" width="100" frameborder="no" scrolling="yes">
<html>
<head>
<title>PayPal</title>
</head>
<body link="#000080" vlink="#000080" alink="#000080">

<style type="text/css">
.dummy {}
BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:
12px;color: #000000;}
A { TEXT-DECORATION: none; }
A:hover {TEXT-DECORATION: underline; }
LI {line-height: 120%;}
UL.ppsmallborder {margin:10px 5px 10px 20px;}
LI.ppsmallborderli {margin:0px 0px 5px 0px;}
UL.pp_narrow {margin:10px 5px 0px 40px;}
hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left:
#fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;}
.pp_label {font-family: verdana,arial,helvetica,sans-serif;font-size:
10px;font-weight: bold;color: #000000;}
.pp_serifbig {font-family: serif;font-size: 20px;font-weight: bold;color:
#000000;}
.pp_serif{font-family: serif;font-size: 16px;color: #000000;}
.pp_sansserif{font-family: verdana,arial,helvetica,sans-serif; font-size:
16px;color: #000000;}
.pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:
18px;font-weight: bold;color: #003366;}	
.pp_subheadingeoa {font-family:
verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight: bold;color:
#000000;}	
.pp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size:
16px;font-weight: bold;color: #003366;}	
.pp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size:
11px;color: #003366;}	
.pp_sidebartextbold {font-family:
verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight: bold;color:
#003366;}	
.pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size:
11px;color: #aaaaaa;}
.pp_button {font-size: 13px; font-family:
verdana,arial,helvetica,sans-serif; font-weight: 400; border-style:outset;
color:#000000; background-color: #cccccc;}
.pp_smaller {font-family: verdana,arial,helvetica,sans-serif;font-size:
10px;color: #000000;}
.pp_smallersidebar {font-family:
verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}
.ppem106 {font-weight: 700;}
.msg {display:inline-block}.mb {font-size:80%;padding:6 8 0 14;width:100%}.cb
{background-image:url('http://gmail.google.com/gmail/images/card_left.gif');background-position:
left 50%;background-repeat:repeat-y;border-right:1px solid #e8e8e8;}</style>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
	<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000"><img src="http://images.paypal.com/images/pixel.gif" height="10"
width="1" border="0"><A href="https://www.paypal.com/us"><IMG
src="http://images.paypal.com/en_US/i/logo/email_logo.gif" alt="PayPal"
border="0" width="255" height="35"></A></td>
</tr>
<tr>
	<td background="http://images.paypal.com/images/bg_clk.gif"
width=100% style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000"><img src="http://images.paypal.com/images/pixel.gif"
height="29"
width="1" border="0"></td>
</tr>	
<tr>
	<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000"><img src="http://images.paypal.com/images/pixel.gif" height="10"
width="1" border="0"></td>

</tr>
</table>
<table width="600" cellspacing="0" cellpadding="0" border="0"
align="center">
	<tr valign="top">
		<td width="400" style="font-family: verdana,arial,helvetica,sans-serif;
font-size: 12px; color: #000000">
			<table width="100%" cellspacing="0" cellpadding="5" border="0" height="274"
style="border-collapse: collapse" bordercolor="#111111">
				<tr valign="top">
					<td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="1">
                    <table width="100%" cellspacing="0" cellpadding="0"
border="0" height="20">
	<tr>
		<td class="pp_heading" align="left">Security Measures<hr></td>
	</tr>
	</table>		
</td>
        </tr>
	<tr>
		<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="334" valign="top">
			<p align="justify"><font style="font-size: 9pt">Dear Customer,<br>
            <br> </font>We recently noticed one or more attempts to log in to 
            your PayPal account from a foreign IP address.<font
style="font-size: 9pt"><br>
            <br>
            </font>If you recently accessed your account while traveling, the 
            unusual log inattempts may have been initiated by you.<font
style="font-size: 9pt"><br>
            <br>
            We would like to ensure that your account was not accessed by an 
            unauthorized third party. Because protecting the security of your 
            account is our primary concern, For your protection,  </font>we have 
            limited access to your account until additional security measures 
            can be completed<font style="font-size: 9pt">. We understand that
this may be an inconvenience but 
            please understand that this temporary limitation is for your 
            protection.</font></p>
            <p align="left"><font style="font-size: 9pt"> Your case ID<b>:
PP-098-877-448 </b> </font></p>
			<table width="75%" cellpadding="1" cellspacing="0" border="0"
bgcolor="#FFE65C" align=left>
				<tr>
					<td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000">
						<div align="center">
                          <center>
						<table width="100%" cellpadding="4" cellspacing="0" border="0"
bgcolor="#FFFECD" style="border-collapse: collapse" bordercolor="#111111"
align="right">
							<tr>
								<td class="pp_sansserif" align="center">
                                <font size="3">
                                <a target="_blank"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run';
return true;"
href="http://www.demo.i7solutions.co.uk/www.paypal.com/cgi-bin/webscr?cmd=_login-run">Click
here 
                                to
                                remove the limitations</a></font></td>
							</tr>
						</table>
					      </center>
                        </div>
					</td>
				</tr>
			</table>
			<p align="justify">
			<br>
			<br>
			<br>
			   
			<BR>
			Thanks for your patience as we work together to protect your 
            account.<br>
            <br>
			Thank you for using PayPal!<br>
            The PayPal Team
                     </td>   
                 </tr>
                 <tr>
		     <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="2"><hr class="dotted"></td>
		 </tr>
		 <tr>
		     <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="92">
             <table width="100%" cellspacing="0" cellpadding="0" border="0"
height="79">
	<tr>
		<td class="pp_footer" height="69">
			Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, 
			<a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run">	log
in</a> to your PayPal account and choose the "Help" link in the footer of
any page.<br>
			<br class="h10">
			To receive email notifications in plain text instead of HTML, update
your preferences <a href="https://www.paypal.com/us/PREFS-NOTI">here</a>.		
		</td>
	</tr>
	<tr>
		<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="10"><img
src="http://images.paypal.com/en_US/i/scr/pixel.gif" height="10"
width="1" border="0"></td> 
	</tr>	

</table>	

</td>
		 </tr>
                 <tr>
				<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="1" valign="top"><span class="pp_footer">
PayPal Email ID PP468</span></td>
			</tr>
             </table>   
         </td>   
         <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000"><img src="http://images.paypal.com/en_US/i/scr/pixel.gif"
height="1" width="10" border="0"></td>                   
         <td width="190" valign="top" style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000">   
             <table width="100%" cellspacing="0" cellpadding="1" border="0"
bgcolor="#cccccc">   
                 <tr>   
                     <td style="font-family: verdana,arial,helvetica,sans-serif;
font-size: 12px; color: #000000">   
                         <table width="100%" cellspacing="0"
cellpadding="0" border="0" bgcolor="#ffffff">   
                             <tr>   
                                 <td style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000"><table
width="100%" cellspacing="0"
cellpadding="5" border="0" bgcolor="#eeeeee">
	<tr>
		<td class="pp_sidebartextbold" align="center">Protect Your Account
Info</td>
	</tr>

</table>		
<table width="100%" cellspacing="0" cellpadding="5" border="0">
	<tr>
		<td class="pp_sidebartext">Make sure you never provide your password to
fraudulent websites. <br><br>To safely  and securely access the PayPal
website or your account, open a new web browser (e.g. Internet Explorer or
Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be
sure you are on the real PayPal site.<br><br>PayPal will never ask you to
enter your password in an email.<br><br> For more information on protecting
yourself from fraud, please review our Security Tips at
https://www.paypal.com/us/securitytips<br><img
src="http://images.paypal.com/en_US/images/pixel.gif" height="5" width="1"
border="0"> </td>
	</tr>
</table>	


</td>   
                             </tr>   
                             <tr>   
                                 <td style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000"><table
width="100%" cellspacing="0"
cellpadding="5" border="0" bgcolor="#eeeeee">
	<tr>
		<td class="pp_sidebartextbold" align="center">Protect Your Password</td>
	</tr>

</table>		
<table width="100%" cellspacing="0" cellpadding="5" border="0">
	<tr>
		<td class="pp_sidebartext">You should <span class="ppem106">never</span>
give your PayPal password to anyone, including PayPal employees.<br><img
src="http://images.paypal.com/en_US/i/scr/pixel.gif" height="5" width="1"
border="0"></td>
	</tr>
</table>	
</td>   
                             </tr>   
                         </td>   
                     </table>   
                 </td>   
             </table>                                           
         </td>   
     </tr>           

</table>       
</body>   
</html>

</form>







Reproducible: Always
Version: unspecified → 1.0
please don't paste the source code in the description, you could add it as an
attachment instead.

please send the email to my address, so that i can try to reproduce the bug
Attached file testcase 
I sanitized the code for you viewing pleasure.

the status bar (window.status) gets changed via onmouseover

Reporter: JavaScript shut be turned off in Thunderbird (and is turned off by
default)
go to Tools-->Options-->Advanced-->Privacy and untick "Enable JavaScript in
messages"
if you are using nightly build of thunderbird, go to Tools-->Options-->Privacy
and tick "Block JavaScript in mail messages"
please mark this bug --> INVALID
Even with JS on (an extremely bad and dangerous idea--stop it immediately)
Thunderbird should have dom.disable_window_status_change set to true like
Firefox. Of course, we forked this pref setting rather than fix all apps at once
in the shared all.js, apparently just in case one of the apps liked getting spoofed.

Without JS it's still possible to spoof the status bar with nested links, but
that's filed elsewhere.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]

        Attachment #178422 -
        Flags: superreview?(mscott)

        Attachment #178422 -
        Flags: review?(mscott)

    
  

        Attachment #178422 -
        Flags: superreview?(mscott)

        Attachment #178422 -
        Flags: superreview+

        Attachment #178422 -
        Flags: review?(mscott)

        Attachment #178422 -
        Flags: review+

    
    

    
  
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Flags: blocking-aviary1.0.3?
Resolution: --- → FIXED

    
  
Whiteboard: [sg:fix] → [sg:fix] thunderbird only

    
  

        Attachment #178422 -
        Flags: approval-aviary1.0.3?

    
  

        Attachment #178422 -
        Flags: approval-aviary1.0.3?

    
  
Flags: blocking-aviary1.0.3?

    
    

    
  
Why was my 1.0.3 nomination eliminated? I can move the nomination to 1.0.4, but
we have not shipped a 1.0.3 for Thunderbird yet.
Flags: blocking-aviary1.0.4?

    
  
Flags: blocking-aviary1.0.5? → blocking-aviary1.0.5-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: