Closed Bug 740893 Opened 13 years ago Closed 13 years ago

Emoji characters that look like locks could be used to spoof https locks in page titles

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 808234

People

(Reporter: sullivan, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [sg:low spoof])

Attachments

(2 files)

Emoji lock in title bar.png
46.11 KB, image/png
Details
Ubuntu 11.10 screenshot
92.60 KB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3 Steps to reproduce: Emoji characters in page titles are displayed in Firefox’s window title bar. There is one Emoji character that looks like a simple closed padlock, and a few variants. Using one of these in a page title will show what could be interpreted as an https lock image in the window title bar. These five consecutive Emoji characters are all lock-and-key related: 0x1F50F: /* LOCK WITH INK PEN */ 0x1F510: /* CLOSED LOCK WITH KEY */ 0x1F511: /* KEY */ 0x1F512: /* LOCK */ 0x1F513: /* OPEN LOCK */ For an example, paste this URL into Firefox and hit return: data:text/html,<title>Secured Area %26%23x1F512%3B<%2Ftitle> Actual results: A padlock image appeared in the window title though the window is not displaying an https page. Expected results: The padlock image should have been stripped from the title, or otherwise not displayed. Attached a screenshot from Firefox 11.0 on Mac.
Status: UNCONFIRMED → NEW
Ever confirmed: true
What is this spoofing exactly? I don't see a padlock in the title bar on https pages.
I've confirmed the pasting of: data:text/html,<title>Secured Area %26%23x1F512%3B<%2Ftitle> as showing a lock in the title bar. Beyond that, I'm not sure how interesting this issue is.
The basic idea is that a naive user might see the padlock and interpret it as a “secure page lock”, even though it doesn’t match the way the browser reflects actual secure pages.
This isn't really a bug that benefits from being hidden, so I'd like to un-hide it.
Component: Untriaged → General
OS: Mac OS X → All
QA Contact: untriaged → general
Hardware: x86 → All
I have no objection; I was just being conservative since it’s security-ish.
No worries, that's appreciated. We could just filter these characters out of titles that we set from content. On my mac, the testcase isn't particularly convincing (http://cl.ly/3B3Q0G2c1D3t0I151m2B).
Group: core-security
Whiteboard: [sg:low spoof]
Attached image Ubuntu 11.10 screenshot
This is utterly unconvincing on Linux - see attached screenshot. It is a bit more convincing on Mac (where it looks like they have some scheme for doing coloured icons for Emoji, rather than just rendering them with the font engine - unless the Mac font engine can do varied colours and gradients). Gerv
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: