Closed Bug 361742 Opened 18 years ago Closed 18 years ago

Address bar & URL spoofing

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 337344

People

(Reporter: bugzilla.mozilla, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8

PayPal phishing site which spoofs an address bar and the URL of the current page.

I have also tested this on the Firefox 2.0 release with the same results.

Reproducible: Always

Steps to Reproduce:
1. Navigate to http://196.41.221.21:443/problem/
2. Fake message stating the page is moved is displayed with a link to go to "Main page".
3. Click link marked "Click here to go to our main page"


Actual Results:  
New window pops up with spoofed address bar and URL, showing the user is at a page on paypal.com.

Expected Results:  
User can see that the page is not at the paypal.com site.

It seems that if the page is minimized or the window order is changed, the spoofed address bar disappears.
We've known about this issue for a long time, but haven't forced the (real) address bar to always be visible out of fear of breaking web sites.

*** This bug has been marked as a duplicate of 337344 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Firefox 2 (upgrade from 1.5.0.8) marks this site immediately as a suspected web forgery, and doesn't let it open with the location bar.

In 1.5.0.8 the true host is shown in the title bar when the location bar is suppressed, but that is too subtle for most people.
You need to log in before you can comment on or make changes to this bug.