Closed Bug 308278 Opened 19 years ago Closed 14 years ago

Spoofing toolbars with <select><option><img>

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 575294

People

(Reporter: jruderman, Assigned: sicking)

References

Details

(Keywords: csectype-spoof, sec-low, testcase, Whiteboard: [sg:dupe 575294])

Attachments

(1 file)

demo
86.91 KB, text/html
Details 
Spoofing toolbars with <select><option><img>

I designed this spoof for WinXP Classic, maximized browser window with a screen
width of 1024, no bookmarks toolbar, and no tab bar.  A little tweaking could
make it work with many other configurations.

I noticed this while playing with bug 306663.
Attached file demo 

  

  


Whiteboard: [sg:spoof]

    
  
Keywords: testcase

    
    

    
  
Maybe we should limit the allowed size of <option>. Or alternativly ignore all non-text content in them.

I bet you could pull very similar spoofs using xul <menupopup>s

  

  



    
    

    
  
Come to think of it, this is very hard to actually do anything usefull with. The user has to click on the page to get the dropdown to open, before then the right urlbar will be shown. And even once the urlbar is spoofed it will get unspoofed as soon as the user clicks anywhere where he/she would enter sensitive information.

  

  



    
  
Assignee: nobody → bugmail

    
    

    
  
A click anywhere would dismiss the <select>, but typing would not, and most users enter sensitive information by typing ;)

  

  



    
    

    
  
But focus has to be on the <select> during the typing, otherwise the dropdown is closed, no?

  

  



    
    

    
  
It might be tricky for an attacker to make a "*" appear every time you enter another character of your password, but other than that, the spoof works pretty well.

  

  



    
    

    
  
Hmm.. true.. i didn't think about that. I spoofer could simulate a focused formfield (using images or whatnot) while keeping the focus on the <select>. 

Any ideas for what to do for this then? Seems like a pity to disallow images in <select>, although they work pretty crappily right now.

  

  


Whiteboard: [sg:spoof] → [sg:low spoof]

    
    

    
  
Forward-duping to David Bloom's bug.  His demo makes it clear this problem is higher-severity than I thought, and the discussion there is better.

  

  


Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE

    
  
Keywords: csec-spoof, 
          
            sec-low
Whiteboard: [sg:low spoof]
Whiteboard: [sg:dupe 575294]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: