Closed Bug 298903 Opened 19 years ago Closed 18 years ago

status bar link URL hiding

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 83578

People

(Reporter: tecnica, Assigned: dveditz)

References

()

Details

(Whiteboard: [sg:spoof][no l10n impact])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Moving the mouse cursor on links does not display the url (as it should be).
The address bar display the correct url: http://compsci.buu.ac.th/.ssl/.../

I've recived this url with thi email:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<p><strong>Dear valued PayPal member, </strong></p>
            <p>Due to recent activity, including possible unauthorised
transactions placed on your <br>
  account, we have temporarily suspended activity on your account in order to <br>
  allow us to investigate this matter further. If you believe that this action
may <br>
  have been taken in error, or, if you feel that your account may have been <br>
  tampered with, please visit the <a
href="http://compsci.buu.ac.th/.ssl/...">Resolution Center<a> so that we can
provide additional <br>
  information and work with you to resolve this issue. </p>
            <p>We ask that you allow at least 72 hours for the <br>
  case to be investigated. Emailing us before that time will result in delays.
We <br>
  apologize in advance for any inconvenience this may cause you and we would
like <br>
  to thank you for your cooperation as we review this matter. <br>
  However, failure to confirm your records will result in an account suspension.
<br>
  <br>
  Once you have verified/updated your account records your PayPal service will
not be <br>
  interrupted and will continue as normal. <br>
  <br>
  Please follow the link below and confirm and/or update your account
information. <br>
  <a
href="http://compsci.buu.ac.th/.ssl/...">https://www.paypal.com/cgi-bin/webscr?cmd=login-run&action=update</a>
<br>
  <br>
  If you have received this notice and you are not the authorised account
holder, <br>
  please be aware that it is a violation of PayPal policy to represent oneself
as <br>
  another PayPal user. Such action may also be in violation of local, national, <br>
  and/or international law. PayPal is committed to assist law enforcement with
any <br>
  inquires related to attempts to misappropriate personal information with the <br>
  intent to commit fraud or theft. Information will be provided at the request
of <br>
  law enforcement agencies to ensure that perpetrators are prosecuted to the <br>
  fullest extent of the law. <br>
  <br>
  Best Wishes, </p>
            <br>
PayPal Service Department <br>
PayPal Trust and Safety 

</html>

Reproducible: Always
*** Bug 298920 has been marked as a duplicate of this bug. ***
I might be misunderstanding the problem, but WFM. Unless you meant the problem
was *after* you followed the compsci.buu.ac.th link, but it looks like you've
taken the path out and replaced it with "...". That link is 404 for me which is
why I think you are talking about the mail itself (which works fine).

I'm confused that you're talking about an email, but filed the bug against Firefox.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
(In reply to comment #2)
> I might be misunderstanding the problem, but WFM. Unless you meant the problem
> was *after* you followed the compsci.buu.ac.th link, but it looks like you've
> taken the path out and replaced it with "...". That link is 404 for me which is
> why I think you are talking about the mail itself (which works fine).
> 
> I'm confused that you're talking about an email, but filed the bug against
Firefox.

I'm talking about an email, 'cause I've recived the URL with an email (just spam!).

The correct URL is ("..." included!) http://compsci.buu.ac.th/.ssl/.../ (just
click on it!)
You will se the PayPal web site (but it could be my own bank site!), but if you
move the mouse over the links Firefox doesn't diplay the links' URL (spoofing?!?).

I don't know what's in ".ssl/.../" directory on compsci.buu.ac.th web server,
but I expect Firefox displays the links begining with 
"http://compsci.buu.ac.th/.ssl/.../" on the status bar, NOT just nothing!
I can think: "Hmmm, I see the PayPal site. I trust it! Let me log in.". But the
tamperers at "http://compsci.buu.ac.th/.ssl/.../" log my credentials!
(In reply to comment #3)
> The correct URL is ("..." included!) http://compsci.buu.ac.th/.ssl/.../ (just
> click on it!)

I've tried the URL right now: 404 not found.
Maybe the admin removes it (I've contacted PayPal because I've thinked of a fraud).


Here is another URL:

http://www.eun.eg/.ssl/index.html

This one works.

I will not contact PayPal until bug will be resolved.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Thanks, I've captured a local copy of this one now... I'll try to reduce to a
usable testcase.

McAfee reports the "JS/Stealus.gen" trojan in the included script
http://www.eun.eg/.ssl/js.htm, but that's not the statusbar problem. Stealus
tries to put a popup saying "https://www.paypal.com/" on top of the address bar,
an old now-fixed IE vulnerability.

There are three <body> tags in the file, two in the <head> and one after. Is
that's confusing event bubbling? DOM Inspector sees it as a single body, though,
combining the event handlers added to individual <body></body> elements.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b4?
Whiteboard: [sg:spoof]
Whiteboard: [sg:spoof] → [sg:spoof][no l10n impact]
Dan, do you still think this should be a blocker? I don't see a URL spoof here.
Maybe it's changed? 
The "spoof" is not of the site's origination itself (though it does try to hide
itself from unpatched versions of IE), this bug is about the fact that when you
mouse over the links the status bar does not show the URL.

In this particular case the links are all to real paypal links (the phisher is
after the form post), but this technique could be used to hide dodgy links as
well.
Summary: URL spoofing → status bar link URL hiding
Flags: blocking1.8b4? → blocking1.8b4+
Flags: blocking1.8b4+ → blocking1.8b4-
Blocks: 325274

*** This bug has been marked as a duplicate of 83578 ***
No longer blocks: 325274
Status: NEW → RESOLVED
Closed: 19 years ago18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: