Closed
Bug 528688
Opened 15 years ago
Closed 15 years ago
Broken banking secure server causes bank security info incorrectly to be placed in address bar and page info
Categories
(Firefox :: Page Info Window, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 521461
People
(Reporter: lewisp, Unassigned)
References
()
Details
(Whiteboard: [sg:dupe 521461])
Attachments
(1 file)
|
24.86 KB,
image/png
|
Details |
address bar showing bank security and original site address
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-6.1 Firefox/3.5.4 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-6.1 Firefox/3.5.4 Note the bank server was known to be having problems as reported by their telephone helpline. When trying to access the Halifax Bank of Scotland online site I got the bank security info and green flash in the address bar, the status said "done" and the padlock appeared bottom right. Page Info window showed the bank security details but the site being displayed was still the site I had been looking at before. I fear that this may be able to be used to make a user think that they have accessed their bank site and thus enter security information. Reproducible: Always Steps to Reproduce: 1.Happens only when bank server having problems (declared on bank helpline). 2.From any other site try to open bank site (URL as given). 3. Actual Results: The bank security green flash displayed in address bar and the bank security information partially displayed in "Page Info" while the original site is still displayed. Expected Results: WQhen bank server working OK, bank website displayed with bank security info. I fear that this may be a bug that could be used to fool users into believing that they have contacted their bank. I am not sure how but it looks problematic. I have screen shots of the problem. I have done a wget on the URL and receive the following output (page data follows): *** --2009-11-14 09:56:29-- https://www.halifax-online.co.uk/_mem_bin/formslogin.asp Resolving www.halifax-online.co.uk... 212.140.245.11, 212.140.245.71, 62.172.43.131, ... Connecting to www.halifax-online.co.uk|212.140.245.11|:443... connected. HTTP request sent, awaiting response... 302 Object moved Location: /default.asp?404;http://www.halifax-online.co.uk/_mem_bin/formslogin.asp [following] --2009-11-14 09:56:30-- https://www.halifax-online.co.uk/default.asp?404;http://www.halifax-online.co.uk/_mem_bin/formslogin.asp Connecting to www.halifax-online.co.uk|212.140.245.11|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3457 (3.4K) [text/html] Saving to: `default.asp?404;http:%2F%2Fwww.halifax-online.co.uk%2F_mem_bin%2Fformslogin.asp' 100%[====================================================================================================================>] 3,457 --.-K/s in 0.04s 2009-11-14 09:56:30 (79.6 KB/s) - `default.asp?404;http:%2F%2Fwww.halifax-online.co.uk%2F_mem_bin%2Fformslogin.asp' saved [3457/3457] *** <html> <head> <title>Service unavailable</title> <meta http-equiv="Pragma" content="no-cache"></meta> <STYLE> .DarkBlueHeader { BACKGROUND-COLOR:#6699ff; PADDING-TOP: 10px; PADDING-BOTTOM: 5px; PADDING-LEFT: 14px; COLOR:#ffffff; FONT-FAMILY: Arial; FONT-WEIGHT: bold } .DarkBlue { BACKGROUND-COLOR:#6699ff; PADDING-BOTTOM: 5px; PADDING-LEFT: 14px; COLOR:#ffffff; FONT-FAMILY: Arial; FONT-SIZE: smaller; } .LightBlueHeader { BACKGROUND-COLOR:#c8e6ff; PADDING-TOP: 10px; PADDING-BOTTOM: 5px; PADDING-LEFT: 14px; COLOR:#000099; FONT-FAMILY: Arial; FONT-WEIGHT: bold } .LightBlue { BACKGROUND-COLOR:#c8e6ff; PADDING-BOTTOM: 5px; PADDING-LEFT: 14px; COLOR:#000099; FONT-FAMILY: Arial; FONT-SIZE: smaller; } .topbanner { BACKGROUND-COLOR: #6699ff; PADDING-BOTTOM: 7px; PADDING-LEFT: 12px; PADDING-TOP: 7px } .contentheader { COLOR: #000099; FONT-FAMILY: Arial; FONT-WEIGHT: bold; PADDING-LEFT: 14px; PADDING-TOP: 15px } .contentcell { COLOR: #000099; FONT-FAMILY: Arial; FONT-SIZE: smaller; PADDING-LEFT: 14px; PADDING-TOP: 15px } </STYLE> </head> <body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"> <table cellpadding="0" cellspacing="0" border="0" width="780"> <tr> <td colspan="2" class="topbanner"><img src="graphics/Halifax_logo.gif" alt="Halifax Logo - Always giving you extra"/></td> </tr> <tr> <td colspan="2" class="contentheader">Sorry, our service is currently unavailable</td> </tr> <tr> <td colspan="2" class="contentcell">We apologise for any inconvenience this may cause. </td> </tr> <tr> <td colspan="2" class="contentcell">If you require any account information urgently, please call us on the numbers below.</td> </tr> <tr valign="top"> <td class="contentcell"><table cellpadding="0" cellspacing="0" border="0" width="360"> <tr valign="top"> <th class="LightBlueHeader" align="left" colspan="2"> Halifax Accounts </th> </tr> <tr> <td class="LightBlue">Bank Accounts</td> <td class="LightBlue">08457 20 30 40</td> </tr> <tr> <td class="LightBlue">Credit Cards</td> <td class="LightBlue">08457 28 38 48</td> </tr> <tr> <td class="LightBlue">Insurance</td> <td class="LightBlue">08457 23 33 43</td> </tr> <tr> <td class="LightBlue">Mortgages</td> <td class="LightBlue">08457 27 37 47</td> </tr> <tr> <td class="LightBlue">Personal Loans</td> <td class="LightBlue">08457 24 34 44</td> </tr> <tr> <td class="LightBlue">Savings & Investments</td> <td class="LightBlue">08457 26 36 46</td> </tr> <tr> <td class="LightBlue">Share Dealing</td> <td class="LightBlue">08457 22 55 25</td> </tr> <tr> <td class="LightBlue">Share Schemes</td> <td class="LightBlue">0800 37 17 61</td> </tr> <tr> <td class="LightBlue">Lost & Stolen Cards</td> <td class="LightBlue">08457 20 30 99</td> </tr> </table></td> </tr> <tr> <td colspan="2" class="contentcell">For other online related queries, please call our helpdesk on 0845 602 0000.</td> </tr> </table> </body> </html>
|
Reporter | |
Comment 1•15 years ago
|
||
|
||
Comment 2•15 years ago
|
||
This sounds like a duplicate of bug 521461, which involved the secure site returning errors rather than the HTML content you quoted above (which you no doubt captured when the site was working again). That bug will be fixed in our next security updates. You could try our nightlies if you're still experiencing the problem--it would be great to get confimation that this is a duplicate: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1/ Those are en-US builds. We do also have en-GB nightlies but not 64-bit. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1-l10n/ If the site has fixed their problem then we're left with a lot of guessing.
Whiteboard: dupe 521461?
|
|
Reporter | |
Comment 3•15 years ago
|
||
The site in question is now functioning correctly. Reports on the UK media said that the entire bank chain had suffered a power cut and that their computers were all down. I can only assume that the web server front end was unable to contact the banking hosts and so failed in strange ways. I did check the continued failure mode after I fetched the html code but I think that the whole system was failing intermittently at the time. I am sorry that I can not confirm the failure mode (as the bank is now back on line) and that I did not find the original bug report. I can only assume that the search engine does not return references to bugs that the searcher has no access rights to.
|
|
||
Comment 4•15 years ago
|
||
No worries about not finding hidden duplicates. From your description it's at least plausible that this is the same as the bug 521461, but with the bank back online there's no way to test for sure.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: dupe 521461? → [sg:dupe 521461?]
|
|
||
Updated•12 years ago
|
Group: core-security
Whiteboard: [sg:dupe 521461?] → [sg:dupe 521461]
You need to log in
before you can comment on or make changes to this bug.
Description
•