686152 - Trojan injected "please give us your credit card details" into amazon.co.uk

Status: UNCONFIRMED

(Firefox :: Security, defect)

Description

[bugzilla]

Attachment: Zipped-up trojan that attacks firefox. Only install on throwaway, locked-down, minimal privileged user accounts!

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

Was attacked by a trojan - installed via a java vulnerability as far as I could tell.


Actual results:

***Note the following will install a trojan on your machine! ***

***Ensure you use a throw-away limited user account to replicate the bug!***

 - unzip the attached files
 - use rundll32.exe to run sw2.dll
 - run firefox (v5, may work with other versions)
 - connect to amazon.co.uk
 - Examine page source. Source will include the phrase "In order to provide you with extra security and prevent your account from possible unauthorized use, we occasionally need to ask for additional information."
 - depending on exactly how well the page source was attacked, a dialog box may appear on top of the page with said text, asking for credit card details



Expected results:

Firefox shouldn't allow sw2.dll to arbitrarily edit webpages that firefox downloads

Ideally, Firefox would prevent badly written insecure java plugins from running and installing such trojans on my machine in the first place. :-)