URL Spoofing when The URL is aligned to right in The Location Bar

NEW
Unassigned

Status

()

Firefox
Location Bar
3 years ago
2 years ago

People

(Reporter: Ahmed Elsobky, Unassigned)

Tracking

({csectype-spoof, sec-low})

29 Branch
x86
Windows 7
csectype-spoof, sec-low
Points:
---
Bug Flags:
firefox-backlog -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8401115 [details]
URL Spoofing.html

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140331125246

Steps to reproduce:

1- Adjust(align) the URL in The Location Bar -in any opened tab- to right by clicking into The Location bar then press CTRL+Right Shift.
2- Open the attached test case(URL Spoofing.html) then click the button in it.


Actual results:

Firefox doesn't show the real domain name and shows a spoofed one(https://www.mozilla.org) instead.. 
Note: It's right that the URL is aligned to left by default in Firefox but it's not that hard for a malicious website to ask/convince users to align the URL in the location bar to right for any fake legitimate reason. Also it's easy for an attacker to perform the attack using a domain name that has a SSL(Secure Socket Layer) to spoof the SSL icon(the small lock icon) that appears for the secure connections.


Expected results:

Firefox must show the real domain name regardless the adjustment of the URL in The Location Bar..(Which is the actual behavior in Internet Explorer 11 -while the other web browsers such Chrome/Chromium, Safari and Opera don't support aligning the URL to right).
(Reporter)

Comment 1

3 years ago
Created attachment 8401117 [details]
URL Spoofing.png

This is how the spoofed URL looks like in my computer..
(Reporter)

Updated

3 years ago
Component: Untriaged → Location Bar
Keywords: csectype-spoof
(Reporter)

Comment 2

3 years ago
Comment on attachment 8401115 [details]
URL Spoofing.html

<html>
><button onclick="document.location.href = 'http://www.example.com/https://www.mozilla.org/XxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXXXXXxxxxxxxxxxxxxxxxXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXxxxxxxxxXxxxxxUUxxxxxxxxxxxxx'">Go to Mozilla.org</button>
></html>
(Reporter)

Comment 3

3 years ago
(In reply to Ahmed Elsobky (@MrEagle0x) from comment #2)
> Comment on attachment 8401115 [details]
> URL Spoofing.html

I have added some more characters to the URL to make it accurate on a fresh installation of Firefox that has no Add-ones, so the code in #2 is the testcase now..
Given that this requires both the user to change the url bar from the default of left adjusted and to click on locations controlled by an attacker this is a sec-low at best (if at all). This requires lots of actions by the user and if I can get a user to do this I can likely get them to do much worse things.

In all likelihood this is a wontfix, I also see no reason to keep this bug hidden as
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-spoof
(Reporter)

Comment 5

3 years ago
(In reply to Curtis Koenig [:curtisk] from comment #4)
> Given that this requires both the user to change the url bar from the
> default of left adjusted and to click on locations controlled by an attacker
> this is a sec-low at best (if at all). This requires lots of actions by the
> user and if I can get a user to do this I can likely get them to do much
> worse things.
> 
> In all likelihood this is a wontfix, I also see no reason to keep this bug
> hidden as

I agree with you that this is a low risk issue and it requires somehow a lot of interaction but as you know that the guidelines of security measures tell users not to download files from untrusted websites(domains) and not to visit suspicious domains..etc but these guidelines don't tell users not to align the URL to right or not to click a link/button! then from a non-suspicious action, they will fall into the trick! So I don't agree with you that this could considered as a WONTFIX or that this is a very very low risk.. 

I think that this should(or must) be fixed..

Updated

3 years ago
Flags: firefox-backlog+

Updated

3 years ago
Flags: firefox-backlog+ → firefox-backlog-
Keywords: csectype-spoof, sec-low
You need to log in before you can comment on or make changes to this bug.