302974 - "I'm feeling lucky" search can be abused to trick users into fake sites

Status: RESOLVED DUPLICATE of bug 263213

(Firefox :: Address Bar, defect)

Description

[Heikki Toivonen (remove -bugzilla when emailing directly)]

This was discussed on full-disclosure with summary Weird URL.

The Firefox feature that when you enter a non-URL on the URL bar it will do a
Google I'm Feeling Lucky search without notifying the user seems to have taken
some security conscious people by surprise.

This becomes a potential problem if someone is instructed to copy and paste a
URL that fools the user into thinking they are going to one site while Google in
fact routes them to a different location. Not a very likely scenario or big
threat, but worth thinking about.

For example, this URL (http://phrack;//gmail.com) will take you to
http://www.phrack.org/. Now imagine this with
http://duhgobbledygook;//bankofamerica.com where you are the number one hit for
"duhgobbledygook", and had created a page that looked just like BoA's page.

I think at a minimum there should be some information visible to the user when
the "I'm Feeling Lucky" search was activated. That is bug 275957.

But since something more might be done, filing this as a separate bug.

Comment 1

[Heikki Toivonen (remove -bugzilla when emailing directly)]

Removing the security-sensitive status since this was discussed on the public
full-disclosure list.

Comment 2

[Daniel Veditz [:dveditz]]

Neither of your examples are at all convincing. The first one *looks* like
phrack, the second does not look like bankofamerica. In both cases when the user
gets where they are going the URL bar will clearly show the real site (unless
bug 264610 kicks in, but that's independent).

The problem isn't spoofing users, it's mystifying them as in bug 275957

Comment 3

[Robin Monks]

examples match this bug.

*** This bug has been marked as a duplicate of 263213 ***