Last Comment Bug 427364 - phishing warning not shown if phishing page is in a frame (CVE-2007-1736)
: phishing warning not shown if phishing page is in a frame (CVE-2007-1736)
Product: Toolkit
Classification: Components
Component: Safe Browsing (show other bugs)
: unspecified
: All All
-- major (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2008-04-06 04:31 PDT by Marius
Modified: 2014-05-27 12:25 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Marius 2008-04-06 04:31:53 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv: Gecko/20080311 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv: Gecko/20080311 Firefox/

if you report as pishing and then open a window with a frame containing the form page not show the pishing alert.

Reproducible: Always

Steps to Reproduce:
create a new page containing a pishing side in a form.

showld be confidential because the hackers can make pages that contains frames unsigned as pishing
Comment 1 User image Jesse Ruderman 2008-04-06 13:30:19 PDT
This is fixed in Firefox 3.  I'm not sure which patch fixed it -- maybe the one in bug 384941?

I tested with:

data:text/html,<iframe src=""></iframe>
Comment 2 User image Daniel Veditz [:dveditz] 2009-03-13 12:08:45 PDT
Phishing is different from malware. Phishing is primarily a mail-borne illness so we really only have to track the top-level sites that get sent out in spam mail (and web links to a lesser extent). Adding iframe checking doesn't buy you much in terms of effectiveness, and in our case bought us nothing since our data partner (Google) was only tracking top-level URIs. Evil-doers _could_ frame known phishing pages, but then they have to give out the new link and then that one gets added to the list, too.

Malware is a different issue: malware in a frame can infect you whether you see it or not. Invisible malware frames are commonly injected on perfectly legitimate (but hacked) sites, often all at once as vulnerabilities in common site software is found. Protecting against that kind of threat involved significant changes to both what we checked for malware, and the structure of the "bad site" data we get from Google.

The fact that our anti-phishing behavior changed to detect framed phishing sites is a side-effect of it being a subset of the new anti-malware feature, not because we thought the FF2 behavior was deficient.

Note You need to log in before you can comment on or make changes to this bug.