Closed Bug 288036 Opened 20 years ago Closed 20 years ago

download dialog spoofing with <object> tag

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tonglebeak, Assigned: bugzilla)

References

(
URL
)

Details

(Whiteboard: [sg:spoof]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050326 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050326 Firefox/1.0+

Follow the url. I know it's a poor example, but I don't have the resources to
make the spoofing more elaborate (think outside that example regarding this).

A spoofed site can have an <object> tag fetching data from a real site. Let's
use something besides citibank as the url shows to. Let's say it was called
dinsey.com, and that was fetching the html from disney.com. Well, with the
domains looking very similar, the average person might miss the domain spoofing.
So they're browsing along, and all of a sudden see something called
"Newest-Disney-Dinosaur-Desktop.exe" and think "wow, I should try this." Well,
being on the spoofed site and thinking they're on the real site (because
everything but the domain is 100% alike), they'll download it and run it,
finding out their computer just got screwed over.

The example I linked to is a poor attempt at this because of my lack of
resources, but if someone wanted to pull this off, it'd be quite possible. All
they'd need to do is make a domain that is extremely similar to the real domain,
use <object> to fetch the real data from the real site to make the spoof look
real, and then let javascript redirect that page to a download, without the
average person ever knowing they're potentially about to download a virus.

Poor example linked to, I know, sorry, but think outside of the box on this one
and you'll see this needs to be addressed.

Reproducible: Always
I forgot to add, you need to wait 15 seconds seconds for the download dialog to
appear, and javascript must be enabled.
Version: unspecified → Trunk
This is a well-known spoofing concept. Hardly matters if the phishers re-create
the "bait" site from scratch or frame it in this manner (the <object> tag is
equivalent to an <iframe> here). We've got lots of bugs on attempts to deal with
spoofing in general, hard to pin this down to a specific duplicate.

There's no way (at a technical level) to prevent one site from looking like
another site. Most anti-spoofing focuses on making sure the user knows where
they really are rather than what the site looks like. Although not the best
mechanism from a visibility standpoint, the URL bar is what we currently tell
people to verify. You haven't spoofed that here.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Whiteboard: [sg:spoof]
Version: Trunk → unspecified
I'm not disputing the phishing value of your "dinsey.com" example, we've seen
things like it (ebay-support.com, etc.) in real-world phish. But the problem not
new and I closed this in favor of bugs that contain proposals for dealing with it.

There is also an active discussion going on in the n.p.m.security newsgroup.
You need to log in before you can comment on or make changes to this bug.