Closed Bug 306929 Opened 19 years ago Closed 19 years ago

Bookmark keywords can be abused for phishing

Categories

(Firefox :: Bookmarks & History, defect)

Product:
Firefox
Component:
Bookmarks & History
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 272323

People

(Reporter: serge_leao, Unassigned)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; SV1; FDM; .NET CLR 2.0.50215; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

This is the problem (my english is not perfect so please bear with it for now):
When you type an address on firefox, it is possible to be forwarded to another 
site instead. This introduces critical security issues, like pfishing scam.

This is done by malicious use of the feature "keyword" on bookmarks on 
FireFox, as explained step by step below:

Reproducible: Always

Steps to Reproduce:
1. Create a "clone page" to be forwarded to. In my example I 
use "http://topmakers.irth.net/enter.htm"

2. add a new bookmark using "www.hotmail.com" as keyword, and fill the link 
with your clone page.

3. add a new bookmark using "http://www.hotmail.com" as keyword, and fill the 
link again with your clone page.

3.1. Exploiters should create a domain with a similar name 
like "www.h0tmail.com/enter.asp", because mozilla "translates" the keyword to 
the actual site right after the button 'Enter' is pressed. They will most 
likely use pages 
like "www.h0tmail.com/enter.asp20host20ahfdh20host22a35235ae20_obtain_acess.asp
", so it will be harder to discover the trick.

3.2 After getting the password, the page could even forward the user to the 
real website. You will never discover that your password was stolen. Now 
imagine this on banking sites.
Actual Results:  
The webpage typed ("www.hotmail.com" or "http://www.hotmail.com") was 
overrided by the fake one: "http://topmakers.irth.net/enter.htm"

Expected Results:  
It should reject keywords that contains caracters like "/" or ":" and "." 
(maybe only accepting letters, numbers and spaces).

This issue applies to the "Bug Bounty Program", so I'm looking forward to 
it... :)

Please, I would like something that certificates that I helped find this 
issue, sending me some document, can you do this? I would put that in my 
curriculum somewhere. :)
And please quote my full name when publishing this somewhere. 

All this would encourage me to contribute more ;)

*** This bug has been marked as a duplicate of 272323 ***
Group: security
Status: UNCONFIRMED → RESOLVED
CC list accessible: false
Closed: 19 years ago
Not accessible to reporter
Resolution: --- → DUPLICATE
Summary: Bookmark can be used for pfishing scam, overriding real webpages with fake ones. → Bookmark keywords can be abused for phishing
You need to log in before you can comment on or make changes to this bug.