Closed Bug 427364 Opened 17 years ago Closed 17 years ago

phishing warning not shown if phishing page is in a frame (CVE-2007-1736)

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: 86marius86, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 if you report google.com as pishing and then open a window with a frame containing google.com. the form page not show the pishing alert. Reproducible: Always Steps to Reproduce: create a new page containing a pishing side in a form. showld be confidential because the hackers can make pages that contains frames unsigned as pishing
This is fixed in Firefox 3. I'm not sure which patch fixed it -- maybe the one in bug 384941? I tested with: data:text/html,<iframe src="http://www.mozilla.com/firefox/its-a-trap.html"></iframe>
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Summary: pishing allert not shown if pishing page is showed in a frame → phishing warning not shown if phishing page is in a frame
Phishing is different from malware. Phishing is primarily a mail-borne illness so we really only have to track the top-level sites that get sent out in spam mail (and web links to a lesser extent). Adding iframe checking doesn't buy you much in terms of effectiveness, and in our case bought us nothing since our data partner (Google) was only tracking top-level URIs. Evil-doers _could_ frame known phishing pages, but then they have to give out the new link and then that one gets added to the list, too. Malware is a different issue: malware in a frame can infect you whether you see it or not. Invisible malware frames are commonly injected on perfectly legitimate (but hacked) sites, often all at once as vulnerabilities in common site software is found. Protecting against that kind of threat involved significant changes to both what we checked for malware, and the structure of the "bad site" data we get from Google. The fact that our anti-phishing behavior changed to detect framed phishing sites is a side-effect of it being a subset of the new anti-malware feature, not because we thought the FF2 behavior was deficient.
Alias: CVE-2007-1736
Alias: CVE-2007-1736
Summary: phishing warning not shown if phishing page is in a frame → phishing warning not shown if phishing page is in a frame (CVE-2007-1736)
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.