Closed Bug 304143 Opened 19 years ago Closed 19 years ago

Hooking WinSock functions under Windows platform, can give you Pishing Scam ability

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: brunildo, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

If you hook WinSock APIs, you can easily do a Web-site Redirector. Ok, what does
this has to do with FireFox? Simple. The other page will be reproduced on
FireFox screen but the Address Bar will show de old address. For example: If we
change the packets wich are like "GET www.uol.com.br", and change it to "GET
www.mozilla.com", Mozzila web-site will appear on my screen, but the Address bar
will keep written "www.uol.com.br".

Reproducible: Always

Steps to Reproduce:
Can't reproduce easly like this. This technique is used by viruses-softwares.
Actual Results:  
Already told in "Details" field
So you mean if you have spyware or a virus on your system already, it can
control networking requests and fake DNS?  That's far beyond our control....
If you wish I can send you an executable wich can explore the this miss-security
(sorry for bad english). That's not far beyond your control... could not be that
hard to put 6 bytes at the beginning of the "send" API before calling "send".
This can prevent API Hooking and everything else. Other possibilitie is to
rewrite into the Address Field, when you get an answer from the server, with the
web-site location.
Even if it's possible to instruct Windows to skip hooks on certain APIs, I don't
think it's possible for Firefox to protect itself from spyware running on the
same Windows account.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Note that the same spoofing can be done external to the user's box (e.g. Google
"airpwn"). SSL prevents these MITM attacks, without SSL you can never be sure.

Asking the resulting host is no good. Might catch a prank redirection, but in a
real attack the site will presumably say "Oh yes, I *am* your bank" in any
non-secure ways we think to check.
Oh.. Yes Daniel, you are right.. Every solution has a negative point. Anyway,
hooking is not for everyone. 

Thanks for the really really fast bugtrack answer!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.