MIME sniffing on data: documents makes phishing easier than necessary

NEW
Unassigned

Status

()

Firefox
Security
--
minor
7 years ago
7 years ago

People

(Reporter: Michal Zalewski, Unassigned)

Tracking

8 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
Hi guys,

I feel stupid filing this... Not a big deal, but it may make sense not to sniff MIME type on data: documents. Otherwise, I can construct a fairly plausible phishing vector by omitting text/html:

http://lcamtuf.coredump.cx/switch/index2.html

Arguably, javascript:"..." URLs can be used to achieve a similar effect; Chrome solves that by not putting them in the address bar.

On a related note - I'm not sure it makes sense to file a bug for that, but this seems like something that may be worth thinking about at some point:

http://lcamtuf.blogspot.com/2011/12/old-switcharoo.html
(Reporter)

Comment 1

7 years ago
I updated the PoC with a second variant that looks particularly convincing in Firefox (using Unicode homographs).
(Reporter)

Comment 2

7 years ago
Reference capture of what I'm seeing:
http://lcamtuf.coredump.cx/switch/reference.jpg
You need to log in before you can comment on or make changes to this bug.