Closed Bug 295709 Opened 16 years ago Closed 1 year ago

with popups enabled, the opened popup may appear to belong to the page behind it (security issue)

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: maxozilla, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050513 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050513 Firefox/1.0+

If you enable popups and go to http://aqppevof.mail333.com (this site attempts
to trick people into giving out their credit card details), a popup is opened
with an illegitimate page contained within, and behind it, a legitimate web page
is opened. The user could be tricked into thinking that this popup is part of
the legitimate page behind.
Even Internet Explorer has got round this problem, because in the title bar of
the popup, it displays the real address (http://aqppevof.mail333.com). FireFox
does not.

Reproducible: Always

Steps to Reproduce:
1. Enable popups.
2. Go to http://aqppevof.mail333.com

Actual Results:  
A popup that appears to belong to the legitimate page behind it is opened.

Expected Results:  
There should be some kind of indication that this popup is from a different website.

Note that http://aqppevof.mail333.com is a website attempting to defraud people,
which is sent out in spam messages.
In 1.0.x builds the popup titlebar also contains the site in Firefox. In 1.1 we
will either do that or put the sitename in the statusbar as we do for secure pages.
Depends on: 22183
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.