All users were logged out of Bugzilla on October 13th, 2018

Mozilla Firefox 8.0 URL Bar Spoofing and Saved Password stealing using history.back() or history.forward()

RESOLVED DUPLICATE of bug 687745

Status

()

RESOLVED DUPLICATE of bug 687745
7 years ago
5 years ago

People

(Reporter: jordi.chancel, Unassigned)

Tracking

8 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 687745], URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 575008 [details]
screenshoturlspoofing.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

similar at bug 687745 but with some difference (can't steal a SSL/TLS indicia and this one uses a different code)

Go at www.google.fr and surf on three webpage , after , click on a link of a website on google , use three time History.back() button during the page loading (BEFORE THE PAGE IS LOADED),after than the website is loaded you can use BACK or FORWARD button for enable the URL spoofing (view the video). 


Actual results:

URL is Spoofed and if the webpage targeted contain a Password and login saved on form input , they are sent on attacker website.

/!\ I haven't coded a PoC for the moment because this exploitation is more complicated than i thought, so for demonstrate this vulnerability please view this video => http://www.youtube.com/watch?v=ECBbz07s2Uk .
(Reporter)

Comment 1

7 years ago
Comment on attachment 575008 [details]
screenshoturlspoofing.png

I will try to code a testcase for this.
Attachment #575008 - Attachment filename: screenshoturlspoofing.png → screenshot
(Reporter)

Comment 2

7 years ago
sorry but this bug is a dupe of bug 700080.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 700080]
Duplicate of bug: 700080
(Reporter)

Comment 4

7 years ago
sorry but this bug is a dupe of bug 687745.
(Reporter)

Updated

7 years ago
Whiteboard: [sg:dupe 700080] → [sg:dupe 687745]
Duplicate of bug: 687745
Group: core-security
You need to log in before you can comment on or make changes to this bug.