User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:184.108.40.206) Gecko/20070309 Firefox/220.127.116.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:18.104.22.168) Gecko/20070309 Firefox/22.214.171.124 Hello, Apparently it is possible to bypass Firefox (and Opera) phishing protection by including the phishing URL within an iframe / object tag. In this case we haven't any phishing warning. I've released some demostrations to test the above. The URL uses as proof is 'http://zonafirefox.googlepages.com/trap2.html' but we can use any reported phishing website: http://zonafirefox.googlepages.com/trap1.html (uses JS to create an iframe) DEMO http://zonafirefox.googlepages.com/trap2.html (embeded phishing url using an IFRAME tag) http://zonafirefox.googlepages.com/trap3.html (embeded phishing url using an OBJECT tag) Reproducible: Always Steps to Reproduce: 1.Embed any phishinbg website in an IFRAME / OBJECT html tag 2. 3. Actual Results: FireFox doesn't display any phishing warning Expected Results: Firefox should display phishing warning IE7 has not the problem. Opera 9.1 and 9.2b fails also
Sorry, the phishing URL used as proof is 'http://www.mozilla.com/firefox/its-a-trap.html'.
Using a Mac branch nightly build, I see the warning on all of these pages if I load them in a background tab, and then switch to that tab. I don't see the warning for trap1.html if I load the page in a new foreground tab, or load the page in the same tab (by clicking the link directly). > http://zonafirefox.googlepages.com/trap1.html (uses JS to create an iframe) > http://zonafirefox.googlepages.com/trap2.html (embeded phishing url using an > IFRAME tag) > http://zonafirefox.googlepages.com/trap3.html (embeded phishing url using an > OBJECT tag)
Thank you. I've tested it in Windows XP and Linux and if i load the page in a background tab and them switch to that tab, i see the warning in all demos. If i open the link in a new Window i also see the warnings. But doesn't display any warning if i click as normally (opening in the current tab/window).
Summary: Bypass phishing protection in Firefox 126.96.36.199 → Framing a known phishing site does not trigger phishy-site warning
Version: unspecified → 2.0 Branch
I don't ever see any warning when visiting http://gavinsharp.com/tmp/sb.html, and I'm not sure how it differs from your trap2.html. Perhaps your trap2.html has been added to the blacklist? I seem to recall Tony or someone else mentioning that using this technique to "get around" the phishing protection would just result in the embedding page's URL being added to the blacklist, so maybe that's what's happening?
Apparently the demos has been added to the blacklist, but it are similar as your demostration. Anyways, adding the embedding page to the blacklist doesn't resolve the problem. Firefox must be capable to diaplay a warning when i left-click in the links.
The current design doesn't check (i)frames. This was originally done to save on bandwidth in remote lookup mode (see bug 349234). There was a short discussion on the previous bug about legitimate cases of a phishing site being framed. Also, if you're intentionally framing a phishing site, it's not any harder to just host the phishing yourself. That said, we could probably scan frames in local list mode.
(In reply to comment #6) > The current design doesn't check (i)frames. This was originally done to save > on bandwidth in remote lookup mode (see bug 349234). There was a short > discussion on the previous bug about legitimate cases of a phishing site being > framed. Also, if you're intentionally framing a phishing site, it's not any > harder to just host the phishing yourself. > > That said, we could probably scan frames in local list mode. > That could be a solution. I think a 100% iframe with a phishing site embeded can be a security matter for an average user. Anybody could framing a phishing site self-hosted in order to avoid the phishing warning. By the way, if i open the link in a new tab/windows Firefox acts well.
Does this need to remain confidential? Scanning frames might increase detection so we should do it if it's cheap (confirming bug), but in effect this is just another way phishers can quickly rotate their phishing URLs. Eventually the ones actually used will be added to the list and caught. Phishers already know they have to keep varying the URL to stay ahead of the lists, opening this bug doesn't tell them anything they don't already know. I'll wait a couple days for objections before doing so.
Severity: major → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Note that Firefox 3 has changed and in fact _does_ check iframe URIs. This was done primarily due to the new protection against malware pages where you don't want to touch them in any way, but the same approach is used for phishing sites so we don't have to support two different mechanisms. I'm pretty sure this is a WONTFIX for the 1.8 (firefox 2) branch.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.