Closed Bug 399533 Opened 18 years ago Closed 17 years ago

Phishing concern for the new location bar auto-complete

Categories

(Firefox :: Bookmarks & History, defect)

Product:
Firefox
Component:
Bookmarks & History
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: faaborg, Unassigned)

Details

Here is an attack I'm worried about: 1) a variety of pages that the user visits do a very fast redirect through a phishing site, which has the title "paypal." These pages get recorded in history (I'm pretty sure), and the frecency starts to go up. For instance, this fast redirect occurs on every thumbnail image in a gallery the user is browsing, and the frecency score of the phishing site increases as the user navigates back and forth. 2) the user types "paypal" into the location bar, and selects the first item, unintentionally navigating to the phishing site, because their mental model has not adapted to the new behavior of the location bar (full history instead of only things you have personally typed in). [* alternatively the page dynamically shows phishing/non-phishing content based on if it is being navigated to from a hyperlink vs. directly navigated to with the location bar, (I'm also assuming there is a way to pull that off)]. Potential solutions: -be careful about what we store in history due to this new attack surface -give results in the location bar auto-complete that have EV certs a different visual treatment, so the user may be cued that this isn't the result they expected.
I don't think it's possible for sites to "spam" autocomplete this way, given the fix for bug 381453. As I understand it we keep the "redirect" entries in history for link coloring and possibly other things, but we don't let them get into autocomplete.
I don't think this is really new. The same problem has always existed with hostnames that start with "paypal".
>I don't think this is really new. The same problem has always existed with >hostnames that start with "paypal". True, but we may make this particular vulnerability worse if we change the way location bar auto-complete results are formatted: http://people.mozilla.com/~faaborg/files/20071009-visualRefresh/locationBarSearch.png
Group: security
Resolving as invalid based on Jesse's comment.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Bug 451915 - move Firefox/Places bugs to Firefox/Bookmarks and History. Remove all bugspam from this move by filtering for the string "places-to-b-and-h". In Thunderbird 3.0b, you do that as follows: Tools | Message Filters Make sure the correct account is selected. Click "New" Conditions: Body contains places-to-b-and-h Change the action to "Delete Message". Select "Manually Run" from the dropdown at the top. Click OK. Select the filter in the list, make sure "Inbox" is selected at the bottom, and click "Run Now". This should delete all the bugspam. You can then delete the filter. Gerv
Component: Places → Bookmarks & History
QA Contact: places → bookmarks
You need to log in before you can comment on or make changes to this bug.