Closed Bug 411216 Opened 15 years ago Closed 15 years ago

Able to create convincing spoof page that resembles FF toolbars using Javascript/CSS

Categories

(Toolkit :: Safe Browsing, enhancement)

Product:
Toolkit
Component:
Safe Browsing
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 337344

People

(Reporter: junk, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

By using javascript/stylesheets to open up a new page that disables the toolbar and all margins within the body tag, it is possible to create a convincing spoof page that resembles default toolbars and uses input form to resemble URL bar. 

As this inherently affects all browsers I'm raising this as an enhancement for your consideration. 

Reproducible: Didn't try

Steps to Reproduce:
1. Using Javascript construct a page to open a new window that will display no toolbars, have no page margins and detect the native screen resolution and open a new window in a set position/size dependant on resolution
2. Construct the top of the page to resemble default Firefox toolbars using gifs (screengrabs) and stylesheets. Use the input textbox at the top to resemble the Firefox URL bar and enter the url of another site: e.g. "http://www.ebay.co.uk". 
3. Create a page that resembles a login website
Actual Results:  
By using javascript to open up a new page it is possible to create a convincing phishing page that resembles the default Firefox toolbars and URL bar. 

Expected Results:  
Any ideas? 
Suggest one possible solution would be to use the anti-phishing filter that will verify the validity of a secure site by detecting keywords within a page. If, for example, a page contains the word "ebay", this will check the webpage is actually from ebay and warn the user if it isn't?

<html>
<head>

<SCRIPT LANGUAGE="JavaScript">

function openindex()
      {
OpenWindow=window.open("", "newwin", "height=1024, status=no, width=1280,toolbar=no,scrollbars="+scroll+",menubar=no");
OpenWindow.document.write("<TITLE>URL of a site</TITLE>")
OpenWindow.document.write("<BODY leftmargin='0px' topmargin='0px' marginwidth='0px' marginheight='0px' >")
OpenWindow.document.write("<h1>FF Toolbar goes here</h1>")
OpenWindow.document.write("Page resembles another website")
OpenWindow.document.write("</BODY>")
OpenWindow.document.write("</HTML>")

OpenWindow.document.close()
self.name="main"
     }
</SCRIPT>


</head>
<body onload="openindex()">

</body>
</html>
In Firefox 3 this has been mitigated by always showing the location bar in popups, even with toolbar=no. Bug 22183 also describes a similar problem.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.