Closed
Bug 584910
Opened 14 years ago
Closed 11 years ago
a.href substitution on onmousedown event creates a phishing vulnerability
Categories
(Toolkit :: Safe Browsing, defect)
Toolkit
Safe Browsing
Tracking
()
RESOLVED
DUPLICATE
of bug 229050
People
(Reporter: dchichkov, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
HREF can be substituted after the user clicks on the link thus creating a potential phishing vulnerability.
Example: A link pointing to "http://www.some-prominent-bank.com" takes user to to "http://www.some-prominent-bank-in-nigeria.com".
<a href="http://www.some-prominent-bank.com"
onmousedown="this.href='http://www.some-prominent-bank-in-nigeria.com'; return true;"
>
http://www.some-prominent-bank.com
</a>
Reproducible: Always
Steps to Reproduce:
1. Create an .html file containing:
<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head><body><br>HREF substitution activated in the mousedown event that fires just before clicking in the link.
<br>Example: A link pointing to "http://www.some-prominent-bank.com"
takes user to to "http://www.some-prominent-bank-in-nigeria.com":
<a href="http://www.some-prominent-bank.com/" onmousedown="this.href='http://www.some-prominent-bank-in-nigeria.com'; return true;">
http://www.some-prominent-bank.com
</a>
</body></html>
2. Open the file in Firefox;
3. Click on the http://www.some-prominent-bank.com link;
4. Link resolves into the http://www.some-prominent-bank-in-nigeria.com
Actual Results:
Link pointing to http://www.some-prominent-bank.com resolves into the http://www.some-prominent-bank-in-nigeria.com
Expected Results:
Alternative 1: disable a.href modification on onmousedown events;
Alternative 2: issue a warning about a potential phishing attempt;
Well known security vulnerability.
|
||
Updated•13 years ago
|
Component: Phishing Protection → General
QA Contact: phishing.protection → general
Version: unspecified → 3.6 Branch
|
||
Comment 1•13 years ago
|
||
See also bug 229050
|
||
Updated•11 years ago
|
Component: General → Phishing Protection
|
|
||
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•11 years ago
|
||
Reproduced on Mozilla/5.0 (X11; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0.
Version: 3.6 Branch → Trunk
|
||
Comment 3•11 years ago
|
||
>Alternative 2: issue a warning about a potential phishing attempt;
There's no guarantee/evidence this kind of operation is necessarily a phishing attempt. Note that if the target site is a phishing site, SafeBrowsing will kick in.
|
|
||
Comment 4•11 years ago
|
||
This is well covered in older bugs. Going to dupe.
See also bug 325274.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•10 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•