Spoofed URL from paypal not visible in status bar

RESOLVED FIXED

Status

Thunderbird
Security
RESOLVED FIXED
13 years ago
7 years ago

People

(Reporter: Eric de Redelijkheid, Assigned: dveditz)

Tracking

x86
Windows XP
Bug Flags:
blocking-aviary1.0.5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] thunderbird only)

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1

Received one of those spoof emails about my paypal account. Pointing to (not
clicking) the URL shows in the status bar:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run

In the source, you are probably redirected to
http://www.demo.i7solutions.co.uk/www.paypal.com/cgi-bin/webscr?cmd=_login-run.

The source of the email is (without the headers):

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">


<p align="left"></p>
<p align="left"></p>

<frame src="" width="100" frameborder="no" scrolling="yes">
<html>
<head>
<title>PayPal</title>
</head>
<body link="#000080" vlink="#000080" alink="#000080">

<style type="text/css">
.dummy {}
BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:
12px;color: #000000;}
A { TEXT-DECORATION: none; }
A:hover {TEXT-DECORATION: underline; }
LI {line-height: 120%;}
UL.ppsmallborder {margin:10px 5px 10px 20px;}
LI.ppsmallborderli {margin:0px 0px 5px 0px;}
UL.pp_narrow {margin:10px 5px 0px 40px;}
hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left:
#fff; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;}
.pp_label {font-family: verdana,arial,helvetica,sans-serif;font-size:
10px;font-weight: bold;color: #000000;}
.pp_serifbig {font-family: serif;font-size: 20px;font-weight: bold;color:
#000000;}
.pp_serif{font-family: serif;font-size: 16px;color: #000000;}
.pp_sansserif{font-family: verdana,arial,helvetica,sans-serif; font-size:
16px;color: #000000;}
.pp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:
18px;font-weight: bold;color: #003366;}	
.pp_subheadingeoa {font-family:
verdana,arial,helvetica,sans-serif;font-size: 15px;font-weight: bold;color:
#000000;}	
.pp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size:
16px;font-weight: bold;color: #003366;}	
.pp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size:
11px;color: #003366;}	
.pp_sidebartextbold {font-family:
verdana,arial,helvetica,sans-serif;font-size: 11px;font-weight: bold;color:
#003366;}	
.pp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size:
11px;color: #aaaaaa;}
.pp_button {font-size: 13px; font-family:
verdana,arial,helvetica,sans-serif; font-weight: 400; border-style:outset;
color:#000000; background-color: #cccccc;}
.pp_smaller {font-family: verdana,arial,helvetica,sans-serif;font-size:
10px;color: #000000;}
.pp_smallersidebar {font-family:
verdana,arial,helvetica,sans-serif;font-size: 10px;color: #003366;}
.ppem106 {font-weight: 700;}
.msg {display:inline-block}.mb {font-size:80%;padding:6 8 0 14;width:100%}.cb
{background-image:url('http://gmail.google.com/gmail/images/card_left.gif');background-position:
left 50%;background-repeat:repeat-y;border-right:1px solid #e8e8e8;}</style>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
	<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000"><img src="http://images.paypal.com/images/pixel.gif" height="10"
width="1" border="0"><A href="https://www.paypal.com/us"><IMG
src="http://images.paypal.com/en_US/i/logo/email_logo.gif" alt="PayPal"
border="0" width="255" height="35"></A></td>
</tr>
<tr>
	<td background="http://images.paypal.com/images/bg_clk.gif"
width=100% style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000"><img src="http://images.paypal.com/images/pixel.gif"
height="29"
width="1" border="0"></td>
</tr>	
<tr>
	<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000"><img src="http://images.paypal.com/images/pixel.gif" height="10"
width="1" border="0"></td>

</tr>
</table>
<table width="600" cellspacing="0" cellpadding="0" border="0"
align="center">
	<tr valign="top">
		<td width="400" style="font-family: verdana,arial,helvetica,sans-serif;
font-size: 12px; color: #000000">
			<table width="100%" cellspacing="0" cellpadding="5" border="0" height="274"
style="border-collapse: collapse" bordercolor="#111111">
				<tr valign="top">
					<td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="1">
                    <table width="100%" cellspacing="0" cellpadding="0"
border="0" height="20">
	<tr>
		<td class="pp_heading" align="left">Security Measures<hr></td>
	</tr>
	</table>		
</td>
        </tr>
	<tr>
		<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="334" valign="top">
			<p align="justify"><font style="font-size: 9pt">Dear Customer,<br>
            <br> </font>We recently noticed one or more attempts to log in to 
            your PayPal account from a foreign IP address.<font
style="font-size: 9pt"><br>
            <br>
            </font>If you recently accessed your account while traveling, the 
            unusual log inattempts may have been initiated by you.<font
style="font-size: 9pt"><br>
            <br>
            We would like to ensure that your account was not accessed by an 
            unauthorized third party. Because protecting the security of your 
            account is our primary concern, For your protection,  </font>we have 
            limited access to your account until additional security measures 
            can be completed<font style="font-size: 9pt">. We understand that
this may be an inconvenience but 
            please understand that this temporary limitation is for your 
            protection.</font></p>
            <p align="left"><font style="font-size: 9pt"> Your case ID<b>:
PP-098-877-448 </b> </font></p>
			<table width="75%" cellpadding="1" cellspacing="0" border="0"
bgcolor="#FFE65C" align=left>
				<tr>
					<td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000">
						<div align="center">
                          <center>
						<table width="100%" cellpadding="4" cellspacing="0" border="0"
bgcolor="#FFFECD" style="border-collapse: collapse" bordercolor="#111111"
align="right">
							<tr>
								<td class="pp_sansserif" align="center">
                                <font size="3">
                                <a target="_blank"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run';
return true;"
href="http://www.demo.i7solutions.co.uk/www.paypal.com/cgi-bin/webscr?cmd=_login-run">Click
here 
                                to
                                remove the limitations</a></font></td>
							</tr>
						</table>
					      </center>
                        </div>
					</td>
				</tr>
			</table>
			<p align="justify">
			<br>
			<br>
			<br>
			   
			<BR>
			Thanks for your patience as we work together to protect your 
            account.<br>
            <br>
			Thank you for using PayPal!<br>
            The PayPal Team
                     </td>   
                 </tr>
                 <tr>
		     <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="2"><hr class="dotted"></td>
		 </tr>
		 <tr>
		     <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000" height="92">
             <table width="100%" cellspacing="0" cellpadding="0" border="0"
height="79">
	<tr>
		<td class="pp_footer" height="69">
			Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, 
			<a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run">	log
in</a> to your PayPal account and choose the "Help" link in the footer of
any page.<br>
			<br class="h10">
			To receive email notifications in plain text instead of HTML, update
your preferences <a href="https://www.paypal.com/us/PREFS-NOTI">here</a>.		
		</td>
	</tr>
	<tr>
		<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="10"><img
src="http://images.paypal.com/en_US/i/scr/pixel.gif" height="10"
width="1" border="0"></td> 
	</tr>	

</table>	

</td>
		 </tr>
                 <tr>
				<td style="font-family: verdana,arial,helvetica,sans-serif; font-size: 12px;
color: #000000" height="1" valign="top"><span class="pp_footer">
PayPal Email ID PP468</span></td>
			</tr>
             </table>   
         </td>   
         <td style="font-family: verdana,arial,helvetica,sans-serif; font-size:
12px; color: #000000"><img src="http://images.paypal.com/en_US/i/scr/pixel.gif"
height="1" width="10" border="0"></td>                   
         <td width="190" valign="top" style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000">   
             <table width="100%" cellspacing="0" cellpadding="1" border="0"
bgcolor="#cccccc">   
                 <tr>   
                     <td style="font-family: verdana,arial,helvetica,sans-serif;
font-size: 12px; color: #000000">   
                         <table width="100%" cellspacing="0"
cellpadding="0" border="0" bgcolor="#ffffff">   
                             <tr>   
                                 <td style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000"><table
width="100%" cellspacing="0"
cellpadding="5" border="0" bgcolor="#eeeeee">
	<tr>
		<td class="pp_sidebartextbold" align="center">Protect Your Account
Info</td>
	</tr>

</table>		
<table width="100%" cellspacing="0" cellpadding="5" border="0">
	<tr>
		<td class="pp_sidebartext">Make sure you never provide your password to
fraudulent websites. <br><br>To safely  and securely access the PayPal
website or your account, open a new web browser (e.g. Internet Explorer or
Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be
sure you are on the real PayPal site.<br><br>PayPal will never ask you to
enter your password in an email.<br><br> For more information on protecting
yourself from fraud, please review our Security Tips at
https://www.paypal.com/us/securitytips<br><img
src="http://images.paypal.com/en_US/images/pixel.gif" height="5" width="1"
border="0"> </td>
	</tr>
</table>	


</td>   
                             </tr>   
                             <tr>   
                                 <td style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 12px; color: #000000"><table
width="100%" cellspacing="0"
cellpadding="5" border="0" bgcolor="#eeeeee">
	<tr>
		<td class="pp_sidebartextbold" align="center">Protect Your Password</td>
	</tr>

</table>		
<table width="100%" cellspacing="0" cellpadding="5" border="0">
	<tr>
		<td class="pp_sidebartext">You should <span class="ppem106">never</span>
give your PayPal password to anyone, including PayPal employees.<br><img
src="http://images.paypal.com/en_US/i/scr/pixel.gif" height="5" width="1"
border="0"></td>
	</tr>
</table>	
</td>   
                             </tr>   
                         </td>   
                     </table>   
                 </td>   
             </table>                                           
         </td>   
     </tr>           

</table>       
</body>   
</html>

</form>







Reproducible: Always
(Reporter)

Updated

13 years ago
Version: unspecified → 1.0

Comment 1

13 years ago
please don't paste the source code in the description, you could add it as an
attachment instead.

please send the email to my address, so that i can try to reproduce the bug

Comment 2

13 years ago
Created attachment 178354 [details]
testcase

I sanitized the code for you viewing pleasure.

the status bar (window.status) gets changed via onmouseover

Reporter: JavaScript shut be turned off in Thunderbird (and is turned off by
default)
go to Tools-->Options-->Advanced-->Privacy and untick "Enable JavaScript in
messages"
if you are using nightly build of thunderbird, go to Tools-->Options-->Privacy
and tick "Block JavaScript in mail messages"

Comment 3

13 years ago
please mark this bug --> INVALID
(Assignee)

Comment 4

13 years ago
Even with JS on (an extremely bad and dangerous idea--stop it immediately)
Thunderbird should have dom.disable_window_status_change set to true like
Firefox. Of course, we forked this pref setting rather than fix all apps at once
in the shared all.js, apparently just in case one of the apps liked getting spoofed.

Without JS it's still possible to spoof the status bar with nested links, but
that's filed elsewhere.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
(Assignee)

Comment 5

13 years ago
Created attachment 178422 [details] [diff] [review]
set tbird pref to match ff and suite
Attachment #178422 - Flags: superreview?(mscott)
Attachment #178422 - Flags: review?(mscott)

Updated

13 years ago
Attachment #178422 - Flags: superreview?(mscott)
Attachment #178422 - Flags: superreview+
Attachment #178422 - Flags: review?(mscott)
Attachment #178422 - Flags: review+
(Assignee)

Comment 6

13 years ago
Fix checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Flags: blocking-aviary1.0.3?
Resolution: --- → FIXED
(Assignee)

Updated

13 years ago
Whiteboard: [sg:fix] → [sg:fix] thunderbird only
(Assignee)

Updated

13 years ago
Attachment #178422 - Flags: approval-aviary1.0.3?

Updated

13 years ago
Attachment #178422 - Flags: approval-aviary1.0.3?

Updated

13 years ago
Flags: blocking-aviary1.0.3?
(Assignee)

Comment 7

13 years ago
Why was my 1.0.3 nomination eliminated? I can move the nomination to 1.0.4, but
we have not shipped a 1.0.3 for Thunderbird yet.
Flags: blocking-aviary1.0.4?
(Assignee)

Updated

13 years ago
Flags: blocking-aviary1.0.5? → blocking-aviary1.0.5-
You need to log in before you can comment on or make changes to this bug.