URL bar spoofing vulnerability

Lucas Adamski

15

Issue

The URL in the address bar can be spoofed when a new window or tab is opened by a malicious web page.

Impact to users

If a user visits a page hosting this malicious code, a new window or tab can be opened with a faked URL.  There is no way of determining if the URL is authentic.  This could result in the user disclosing confidential information to the malicious site, known as a phishing attack.

Status

This vulnerability is known to affect all current versions of Firefox.  Mozilla is actively working on fixing this vulnerability.  Users can mitigate this vulnerability by only sharing confidential information with websites that were opened from a bookmark, a trusted source, or by manually opening a new tab or window and entering a URL.

Credit

This issue was originally reported by Juan Pablo Lopez Yacubian.

15 responses

  1. LpSolit wrote on ::

    It looks like reporters of security bugs found a new way to get their bugs fixed: report the issues publicly to force Firefox developers to fix them in a reasonable timeframe.

    Why has this bug been kept open for so long if the fix is < 1Kb?

  2. Buggie wrote on ::

    @LpSolit Why did bug 38862 take nearly a decade if the fix is 15KB?

  3. LpSolit wrote on ::

    @Buggie: the fix was much more complex and invasive. And we had no good idea on how to fix it some years ago. Looks like this wasn’t the case here.

  4. Confused wrote on :

    I just read this post and then clicked on the link that directs you to bugzilla. It gives the status for this bug as RESOLVED FIXED. Is it? I just clicked on update and was told no updates available. Could you please reply to this comment or edit this post and clarify if this threat remains an issue? Or must we still employ the workaround you’ve described?

  5. SOY wrote on :

    @confused: I learned about this security risk using using Secunia (Google it. It seems to be minor risk according to the scale or rating system.

  6. Zack wrote on :

    @confused: RESOLVED FIXED means only “a fix for this issue has been committed to the current development trunk”. You have to look at a host of other information – the flags, the attachment flags, the whiteboard, etc. – to figure out which upcoming release that fix will be in.

  7. Confused wrote on :

    @ Zack

    Thanks for the reply. This is what the bugszilla page shows at this time:

    Whiteboard: [sg:moderate] spoof

    Flags:
    benjamin: blocking1.9.1-
    benjamin: wanted1.9.1+
    samuel.sidler: blocking1.9.0.14+
    samuel.sidler: wanted1.9.0.x+
    hskupin: in‑testsuite?

    I am afraid the above is double dutch to me. If you understand it and have the time and inclination to explain in lay persons language how to interpret the above, I’d be interested to learn for the future. Otherwise a “yes this is fixed now” or “no it isn’t” would suffice.

    (I am assuming that the 3.5.2. that came out about a week or so after this post included a fix).

  8. AndrewM wrote on :

    @Confused (in case you check back here or for anyone else who’s interested): If you look at the Known Vulnerabilities page for Firefox 3.5 ( http://www.mozilla.org/security/known-vulnerabilities/firefox35.html ) you’ll see that there’s a vulnerability fixed in Firefox 3.5.2 that sounds like it’s the right one (“Location bar and SSL indicator spoofing via window.open() on invalid URL”). When you click on that, you get taken to Mozilla Foundation Security Advisory 2009-44 ( http://www.mozilla.org/security/announce/2009/mfsa2009-44.html ) which gives a more detailed description and which links to the same bug number as the one given in the post above.

    So yes, it’s fixed in 3.5.2 :)

  9. Douglas Haire wrote on ::

    This may be the wrong place for this but several times in the past few weeks I have been hit with something claiming to be a Mozilla Security Check. It also reports something like this:
    “http://newwayscanner.info”

    Whatever this is, it takes over Firefox, expands it to full page, and starts dialog boxes claiming it is scanning my computer and finding threats (usually 10 or more) then a dialog box pops up trying to start a download of some executable. The only way out of this is to use Task Manager to shut down Firefox (listed now as this Mozilla Security thing) and open it again using an internet link icon. I can then exit the malicious site by closing that tab. Attempting to re-open Firefox at my default home page just takes me back to the malicious site.

  10. Daniel Veditz wrote on :

    @Douglas

    Yes, this is the wrong place for this :-) Please see the folks at http://support.mozilla.com to find help with Firefox problems. Or if you’re worried about (in)security you can report issues via e-mail to security@mozilla.org

    The symptoms you describe are a classic scareware fraud that makes the rounds. It’s bad enough that the US FTC got a large judgment against a couple of operators last December (later cut to 6% of the original amount — boo!). Unfortunately that hasn’t slowed the problem since those guys were by no means the only ones using the technique.

    Killing Firefox through the Task Manager simulates a “crash” so Firefox tries to restore your previous session instead of opening your home page. In Firefox 3.5 if you crash a couple of times in a row it will instead open on a page showing the tabs it’s trying to restore and allow you to skip specific tabs. Not a great workaround, and we are trying to come up with something better without breaking features that lots of legitimate web sites depend on.

  11. Byron wrote on :

    Where’s the patch for it????

  12. Daniel Veditz wrote on :

    @Byron

    The fix for this URL bar spoofing problem was released in Firefox 3.5.2 and Firefox 3.0.13

  13. Greg R. wrote on :

    @Daniel veditz

    Not true, unfortunately. I saw the newwayscanner.info popup for the first time almost immediately after installing 3.5.2. I did kill the process immediately, and blocked their website in my hosts file, and haven’t seen it since.

  14. Daniel Veditz wrote on :

    oh, /that/ “it”. I already said in comment 10 that we don’t have a fix for the fake anti-virus sites yet.

  15. Internet Protection wrote on ::

    Successfull attack depends on the proper construction of the’data:’ URL. An algorithm could utilize JSdocument.body.clientWidth/Height properties to calculate thebest url padding for the given browser.