Obfuscated URLs within iframes

Johnathan Nightingale

3

Issue
There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http://www.good.com@evil.com/) , Firefox will stop the load and confirm with the user that they are really visiting the site they expected to visit (in this example, evil.com is the actual site loaded). The discussion today has identified the fact that this same warning is not presented when an iframe on the page attempts to load such a URL.

Impact to Users
This issue poses very low risk to users. This attack relies on user confusion about the true destination of a link, and only someone examining the HTML source of the page would ever see the deceptive URL. Most users do not view the source of loading pages, and are therefore unlikely to be impacted by this attack.

Status
We are aware of the discussion. There is currently no fix in plan since Mozilla does not believe this can be used to attack users. Firefox ships with built-in phishing and malware protection that warns users if they are attempting to visit a dangerous URL, and these attempts at deception do not impact that protection.

Credit
This bug was originally reported by Aditya K Sood.

Johnathan Nightingale
Director of Firefox Development

3 responses

  1. Aditya K Sood wrote on :

    In response
    http://www.secniche.org/videos/mozilla_bug_570658.html

  2. Concerned Fan wrote on :

    Hello Jonathan: Is this the same as the one that Secunia reports? or is it different? Please confirm. Thanks!

    http://secunia.com/advisories/41095

  3. Roy wrote on :

    I was also wondering about if it’s the same as Secunia reports.
    Thanks.