bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Phishing warning, found an easy way to hide a fake url

RESOLVED DUPLICATE of bug 304905

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 304905
11 years ago
11 years ago

People

(Reporter: Maciej Baron, Unassigned)

Tracking

({testcase})

2.0 Branch
x86
Windows XP
testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

This is my first time to post a bug, so I may do some things wrong.

Anyway, I found an easy way to hide a fake url in a address.
Check out the example: http://venatios.pl/bug.htm
The link looks fine, when you move the mouse cursor over the link you can see in the status bar 'http://firefox.com', so it looks 'real'. But in fact, the link is http://%c2%8cfirefox.com/. However, the domain name is incorrect, but you can hide other addresses, like http://en.wikipedia.org/wiki/%c2%8cFirefox. What is interesting, at wikipedia the header will be shown as Firefox.
I don't know if this is serious, but maybe firefox should output the url in the statusbar with the %c2%8c or other special characters?

Reproducible: Always

Steps to Reproduce:
1.Create link with some special character, like %c2%8c
2.The link in the status bar will be shown without the character
Actual Results:  
The link at the status bar is fake.
With my 2.0.0.4pre build I see the status bar display "http://firefox.com" but with trunk it displays "http://  firefox.com"

(Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a5pre) Gecko/20070504 Minefield/3.0a5pre ID:2007050405 [cairo])

Updated

11 years ago
Component: General → Security
QA Contact: general → firefox
Version: unspecified → 2.0 Branch
Created attachment 263737 [details]
testcase from reporter's URL

Updated

11 years ago
Blocks: 325274
Keywords: testcase
(Reporter)

Comment 3

11 years ago
However, let's talk about the wikipedia case:
It is possible to create fake sites on wikipedia like http://en.wikipedia.org/wiki/User:%c2%8cSomething or http://en.wikipedia.org/wiki/Wikipedia:%c2%8cAbout. The status bar shows the fake link and even the header is the same. Only the url is different (if noticed).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 304905
You need to log in before you can comment on or make changes to this bug.