Closed Bug 369341 Opened 19 years ago Closed 19 years ago

gatherTextUnder is a bad treewalker, making the phishing filter easy to evade

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: philor, Assigned: philor)

References

(
URL
)

Details

(Keywords: fixed1.8.0.12, fixed1.8.1.3, fixed1.8.1.4, Whiteboard: [sg:nse spoof])

Attachments

(3 files, 2 obsolete files)

testcase
3.68 KB, text/html
Details
SeaMonkey v.2
3.79 KB, patch
neil
: review+
neil
: superreview+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
Thunderbird v.2
1.87 KB, patch
mscott
: review+
mscott
: approval-thunderbird2+
Details | Diff | Splinter Review
Links in HTML email are checked for a mismatch between the href URL and the link text, since <a href="http://phisher.com">http://ebay.com</a> is an obvious clue, but the link text comes from the much-copied-around gatherTextUnder function in {product}.../utilityOverlay.js, which is easily confused - see bug 274486. <a href="http://phisher.com"><span>h</span><span><span>t</span></span>tp://ebay.com</a> will sail right past http://mxr.mozilla.org/seamonkey/source/mail/base/content/phishingDetector.js#212 because the passed-in aLinkNodeText will be "h t" The maybe-tolerable fix would be to make gatherTextUnder's "// Last resort..." method test for .parentNode.nextSibling, and continue walking up the tree as long as there's still depth && !.nextSibling, but since the desired effect is a TreeWalker, using a genuine TreeWalker seems like a better way to go.
Flags: blocking-thunderbird2?
There are other simple ways to evade the phishing heuristic, such as have the text link be simply "eBay" -- victims are still going to click. It would definitely be nice to fix the heuristic to catch this, but I don't know that this needs to be hidden as a security bug.
Assignee: dveditz → mscott
Whiteboard: [sg:nse spoof]
The other ways, though, require obviously HTML email that should put a slightly aware person on guard: target URL as link text is popular because you can make it your only HTML, and hope someone mistakes it for a linkified URL in plain text. I don't mind fixing this in a public bug, fixing all the copies in bug 274486, but I'd rather not be the one to explain in detail to phishers just what sort of email they should send to Tb users.
I don't mind leaving this hidden to obscure the fixing process.
me neither. Thanks for helping out with this Phil. Let me know if you need any help.
Flags: blocking-thunderbird2? → blocking-thunderbird2+
Attached patch mail/ v.1 (obsolete) — Splinter Review
Well, I certainly need some sort of help, though I'm not sure what. I've never figured a good workable plan for these "same tiny change in four files in three products" bugs, and while this seems to work fine in trunk Tb (and the equivalent change in trunk Fx), I've got no idea how to evaluate how good range's bits were for either 1.8.1.x or, moreso, 1.8.0.x, where I don't have a single working build environment to even do basic testing.
Assignee: mscott → philringnalda
Status: NEW → ASSIGNED
Attachment #254395 - Flags: review?(mscott)
Attachment #254395 - Flags: approval-thunderbird2?
Attached patch SeaMonkey v.1 (obsolete) — Splinter Review
Wherein I'm even more at sea: works fine for Bookmark This Link in xpfe SeaMonkey, and I don't use mail in SeaMonkey, or know how to build suite/, or have any idea what branch(es) SeaMonkey's shipping, or know who'll wind up willing to review this :)
Attachment #254507 - Flags: superreview?(neil)
Attachment #254507 - Flags: review?(neil)
What about linked broken images with alt text?
Comment on attachment 254507 [details] [diff] [review] SeaMonkey v.1 Mmm, <img alt="h" border="0" style="margin:0;padding:0;">ttp://www.ebay.com works wonderfully. Currently, too, since gatherTextUnder bails with just the h.
Attachment #254507 - Attachment is obsolete: true
Attachment #254507 - Flags: superreview?(neil)
Attachment #254507 - Flags: review?(neil)
Attachment #254395 - Attachment is obsolete: true
Attachment #254395 - Flags: review?(mscott)
Attachment #254395 - Flags: approval-thunderbird2?
At least on the trunk, a document encoder seems to be the best approach.
Attached file testcase
I *think* this covers the variations that matter.
Attached patch SeaMonkey v.2Splinter Review
I look forward to figuring out how on earth to use a document encoder, in bug 274486. Meanwhile, baling wire and duct tape that can land on the branch, too. I'm not sure whether the xpfe/ copy is deadcode, or just used by something I don't know of, but I patched it as well, even though non-suiterunner seems to be using the copy in suite/common/. The change to concat alt text and actual text, instead of only using alt text, makes me a little uneasy, but not uneasy enough to want to have two more copies so that bookmarks/save as can have subtly different behavior than mail. And having both in mixed image/text situations would at least include what I would expect to get, the text, rather than the current oddness of bookmarking a linked image with the text "Hot! Hot! Hot!" underneath, and getting the bookmark title as just "Click to enlarge."
Attachment #255546 - Flags: superreview?(neil)
Attachment #255546 - Flags: review?(neil)
Comment on attachment 255546 [details] [diff] [review] SeaMonkey v.2 (In reply to comment #11) >I look forward to figuring out how on earth to use a document encoder 1. Create it 2. Init it 3. Point it at the container 4. Encode away! >I'm not sure whether the xpfe/ copy is deadcode, or just used by something I >don't know of, but I patched it as well, even though non-suiterunner seems to >be using the copy in suite/common/. For SeaMonkey patch suite/ on the trunk and xpfe/ on the branch.
Attachment #255546 - Flags: superreview?(neil)
Attachment #255546 - Flags: superreview+
Attachment #255546 - Flags: review?(neil)
Attachment #255546 - Flags: review+
Attached patch Thunderbird v.2Splinter Review
Opened files don't seemed to get the anti-phishing treatment, so I don't have nice testcases, but this seems to work with my collection of things I sent myself (and certainly should work just like it does in a browser).
Attachment #255637 - Flags: review?(mscott)
Attachment #255637 - Flags: approval-thunderbird2?
Attachment #255637 - Flags: review?(mscott)
Attachment #255637 - Flags: review+
Attachment #255637 - Flags: approval-thunderbird2?
Attachment #255637 - Flags: approval-thunderbird2+
Phil, can we land the tb patch on the branch?
An excellent idea, possibly only surpassed by my having done it last weekend, when I thought I did. mail/base/content/utilityOverlay.js 1.3, 1.1.2.3
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.1.3
Resolution: --- → FIXED
xpfe/communicator/resources/content/utilityOverlay.js 1.95 suite/common/utilityOverlay.js 1.98
Attachment #255546 - Flags: approval1.8.1.3?
Attachment #255546 - Flags: approval1.8.0.11?
Attachment #255637 - Flags: approval1.8.0.11?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 255546 [details] [diff] [review] SeaMonkey v.2 approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #255546 - Flags: approval1.8.1.4?
Attachment #255546 - Flags: approval1.8.1.4+
Attachment #255546 - Flags: approval1.8.0.12?
Attachment #255546 - Flags: approval1.8.0.12+
Comment on attachment 255637 [details] [diff] [review] Thunderbird v.2 approved for 1.8.0.12, a=dveditz for release-drivers. Appears to be already checked into Tbird2, right?
Attachment #255637 - Flags: approval1.8.0.12? → approval1.8.0.12+
Right: both branches for Sm, just 1.8.0.x for Tb, was exactly what I needed, thanks. Well, that and a solid eight hours when I can watch 1.8.0.x tinderboxes, but Saturday is plenty soon enough.
Comment on attachment 255637 [details] [diff] [review] Thunderbird v.2 Gah, too many branches and forks in the tree, too few brains between my ears. Tb didn't fork utilityOverlay.js in 1.8.0.x, so the "SeaMonkey" patch is Sm&Tb both, there.
Attachment #255637 - Flags: approval1.8.0.12+
xpfe/communicator/resources/content/utilityOverlay.js: 1.87.4.7 xpfe/communicator/resources/content/utilityOverlay.js: 1.87.4.3.2.1
Keywords: fixed1.8.0.12, fixed1.8.1.4
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: