mistyped https URL redirects to Paypal.com




13 years ago
13 years ago


(Reporter: Ian Grigg, Assigned: dveditz)


Firefox Tracking Flags

(Not tracked)





13 years ago
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2

This looks like #231720 but done with HTTPS.  If any domain is mistyped with
https the redirect goes to Paypal.  This breaches the security model of HTTPS; 
the browser should not make any adjustments arbitrarily to the URL typed in to
URL bar, and should in some way show that a redirect has happened if HTTPS is
involved and certificates are being expected to be checked.

https::/blahblah.com/  Or any other correct domain in an invalid URL.

As it was discovered by payments people (Gordon Katz of KatzGlobal.com), and as
everyone in that world is panicing about phishing, I think this could be major.

It currently it appears mostly embarrassing rather than exploitable.  I can't
quite see how to exploit it but phishers are more persistent than I.

At the minimum, the google "I'm feeling lucky" feature ... if that is what it is
... should be turned off for https.  Actually, I'd rather the Lucky feature
should be turned off altogether or made into a separate thing like lucky:"search
string" as until the UI is improved (a la Gervase, HJ/, trustbar) to do
user-engaged security, there is way too much emphasis on that URL bar to be
worthy of confidence so any "tricks" should be kept to a minimum.

Reproducible: Always

Steps to Reproduce:
1. type in https::/some domain/
2. hit return
3. see Paypal.com, connected with https

Actual Results:  
Get silently redirected to http://Paypal.com/

Expected Results:  
Indicated that the URL was invalid and that the user should examine it and fix
the typing.

This is a security bug.  It doesn't need to be kept confidential.

Comment 1

13 years ago
It is "I'm feeling lucky", I think.  If you turn it off, FF guess www.https.com
instead, which does exist, so you end up there.

Comment 2

13 years ago
It surely is bug 231720. If you search for https, www.paypal.com is the first
entry. Microsoft.com is the one for http.

*** This bug has been marked as a duplicate of 231720 ***
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE

Comment 3

13 years ago
So, I can see this has been made a duplicate of the basic bug.  Does this mean
that this bug has now been "resolved" and there is no longer a security issue?

(The reason that I filed another bug was that #231720 is marked as trivial,
which does not recognise the potential security ramifications.)

Comment 4

13 years ago
*** Bug 289800 has been marked as a duplicate of this bug. ***

Comment 5

13 years ago
If you type odd things into the URL bar, it might take you to odd places.

That the security was set to 'trivial' has nothing to do with security. That was
because the original bug was supposed to be trivial to solve.

Bug 233541 wanted to disable the whole 'I feel lucky search', but was WONTFIXed.
Bug 275957 wants to have an info-bar to wqrn the user (like for popups).
Bug 263213 seems the best soltion for what you want.
You need to log in before you can comment on or make changes to this bug.