If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Phising vulnerability in userinfo for websites over HTTP

RESOLVED WORKSFORME

Status

()

Firefox
Security
--
critical
RESOLVED WORKSFORME
10 years ago
10 years ago

People

(Reporter: James Nelson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

It is possible to use the userinfo component of a URL to trick users into thinking they are at a different website than they are really at, as the above example demonstrates. Many users won't realize that they are at example.com, but will instead think they are at mybank.com. In fact, the majority of users probably won't even know what the userinfo component is.

As the RFC (http://www.ietf.org/rfc/rfc1738.txt) states, userinfo isn't allowed in a HTTP URL. This really should be fixed, its a disaster waiting to happen.

Reproducible: Always

Steps to Reproduce:
1. Follow the given URL.
Actual Results:  
Taken to example.com instead of mybank.com.

Expected Results:  
Alerted the user that userinfo isn't allowed in URLs.
The RFC may say that, but that's not what's true in practice.

Firefox 2 does give a warning on the URL you give; I don't know why you are not seeing it.

Gerv
Firefox alerts the user saying they're really going to "example.com" and that a login may be an attempt to trick you.

After the warning the userinfo is stripped from the address bar so that clearly shows example.com as well.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 3

10 years ago
OK, my fault. Didn't do enough testing beforehand. Sorry about that.
You need to log in before you can comment on or make changes to this bug.