Mozilla UI Spoofing Vulnerability

Short Circuit writes "Secunia has issued a security advisory for Mozilla and Firefox. Apparently, remote web sites can spoof the user interface using XUL. (See the Firefox proof of concept.) Of course, that won't stop me from using Firefox."

This is nothing...

You think your Mozilla or FireFox has neat features like that?

Well my friend, my IE can beat your browser many times over!

HA!

Re:This is nothing...

[ceejayoz]

except it has been a known issue since 1999...

Re:This is nothing...

[auzy]

Its not really an issue though.. Even if this is fixed, theres 10000 different ways of doing the same kind of thing that will throw off even most security experts. Even if its changed, there will be other ways of pretending the bar exists.. They made it confidential because theres no way to fix it.. If they fix it this way, blackhats use javascript..

Rat never thought this thru. I think his trying to gain attention over something which he never bothered contemplating that there was no possible solution anyway.

Thanks to him now, his given just about every credit card frauder on the planet new ideas (and even implemented the paypal clone code for it too). They made it confidential to just stop ppl panicing about something which has always been possible and to try to stop frauders from adding this technique to their arsenal.. Now, Rat has done an incredibly smart move and gave spammers, credit card frauders, script kiddies some new ideas.. And for that, we have to thank him

Re:This is nothing...

[dedazo]

That's nice, except that when "blackhats" do the same thing to people who use IE then it's Microsoft's fault.

Oh, and there's no excuse for "security through obscurity", especially when you've spent the past five years ridiculing the evil empire for it and thumping your chest singing the praises of being open and honest about the same thing. I don't care if this particular issue is interpreted as a bug, a vuln, a feature or anything else. The Mozilla folks kept this jewel mum for five years as far as I can tell. You know what? That means that XUL is probably flawed in some fundamental way and they know it. And if that's not the case, the fact that they hid it sure makes it seem that way.

I suspect we're going to start seeing many more of these as Mozilla gains a foothold. Perhaps all our retarded zealot fanboys will being the understand that actual vulnerabilities aside (which affect all code), plain user stupidity and the fundamental problems of the browser as an application platform make up for a large percentage of the perceived problems with IE. Heck, the other day I rain into a page that wanted me to install some XPI malware.

Maybe we're not so superior after all when people actually use what we do. Reality intrudes on the best laid plans, I guess.

Re:This is nothing...

[auzy]

actually, you can make javascript almost as interactive.. The only advantage for this one is the theme is the same, and the bookmarks are there.. I'm actually thinking about whether its worth making a javascript clone which would fool 90% of people, and be actually a higher risk because it would work on IE too, and safari, and whatever else available.. Of course, I believe in reusable programming and the only people who would look at the code for such a thing, would be the last people you want to see it

Re:This is nothing...

[Michalson]

You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans ["please install me to make your clock run accurately"] being used in place of traditional ActiveX), and second, security reporting has been changing. In the past Mozilla security bugs where reported directly to Mozilla, where they could be kept secret as long as it took Mozilla to fix them - I've only seen a few rare cases of someone actually taking their grievances about Mozilla's slow bug fixing public (like the 1 line Javascript exploit for taking down every Mozilla window and tab at once, which took a year to fix, finally being done when the vulnerability was reposted to a public board, which prompted it to be fixed silently shortly after 1.7 came out). With Mozilla and Firefox "mainstream" browsers now, real security experts are starting to look at them, and they don't play Mozilla's game. They want credit for their discovery, so they don't want to have it shuffled under the rug while Mozilla pretends it never existed. This means publicly announcing exploits, which not only forces Mozilla to radically change how quickly they respond to security bugs, but also forces them to publicly inform users that they should upgrade to the latest build (before of course they just kept fixes secret and let everyone who doesn't download a 12MB build everyday browse with arbitrary code execution vulnerabilities, since saving their own face was more important). The fact that Mozilla vulnerabilities are going to start getting announced within days or hours of them being patched means you're going to start getting exactly what you get in IE - hackers take the bug, make a working exploit, and deploy it a week or month later against the 90% of people who didn't download Mozilla's daily bugfix (perhaps a bigger problem then IE, since Mozilla demands you download the whole 12MB thing, instead of just a little 100KB patch file). Remember Blaster - easy, 56k friendly made available more then a month before it hit. Now try "easy, 12MB patch made available on a weekly basis" and see how few people are keeping ahead of the hackers.

Re:This is nothing...

[Atrax]

> Experts don't browse with javascript enabled, so
> it's pretty obvious actually.

So how do these experts have any idea what will affect the end user? From their non-javascript Ivory Tower, they survey the scene and see all is good. meanwhile, Joe Dickwad sends his credit card info to the Ukraine, thinking he's just bought his momma a bouquet for mothers' day.

To secure the end user's experience, you need to experience things from an end-user perspective.

[this comment is nitpicking the post, not the experts, by the way]

Not another one!

[Nermal6693]

I've lost faith in Secunia, they seem to love pointing out security holes in open-source products. So I just ignore them now.

Re:Not another one!

[Pahalial]

You -do- realize they've known for 5 years, right? We're only hearing now because it's apparently starting to be used in the wild, not to mention someone published research about using chrome spoofing.

Re:Not another one!

[Nermal6693]

But at 21, I'm too young to be a grandparent! ;)

I'm using Firefox...

so am I really seeing slashdot, or is someone trying to spoof me, while at the same time ironically warning me about said Firefox spoofs?

Re:I'm using Firefox...

[HoneyBunchesOfGoats]

You can tell that it's not the real slashdot because they got the colors all wrong.

Re:I'm using Firefox...

man...oh man. this reminds me of the time our "cio" first heard about ip spoofing back in 97.

for the next 3 months every problem was probably caused by "spoofing"...he drove us nuts with that bullshit.

so to fuck with him, we created fake security/vulnerability reports about a new threat: "goof balling"

we could barely keep from wetting our pants as he ran around for the next 3 months telling everyone "we are being goof balled"

Re:I'm using Firefox...

[dillee1]

Fuck, I thought that was the VGA cable getting loose again and tried to fix it.

Vulnerability?

[insecuritiez]

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Re:Vulnerability?

[kristofme]

I had the same opinion initally, but if you check out the spoofed Mozilla window you have to admit this could prove to be dangerous..
Having said that, I'll stick to Firefox nonetheless - let's just hope the Firefox team will find a way to fix it soon.

Re:Vulnerability?

[NetNifty]

It's probably possible to do with IE too, but the worrying part of this exploit is the fake security certificate it produces. Easy way to disable the exploit working is to disable allowing javascript to hide the status bar - the menus etc still comes up but you can tell it's fake because of the extra status bar.

Re:Vulnerability?

[pinny20]

No, because it's using Chrome, so the fake window will have the same theme as the user is using, and if coded cleverly enough, even an experienced user wouldn't be able to easily tell the difference - e.g. Menus will operate in the same way etc.

Re:Vulnerability?

[MoogMan]

You are right in the sense that it is not a "standard" vunerability as such, but as is the case for IE "spoofing", it is still valid. It could still cause users to think a spoofed page is a real page, so in essence the browser is "vunerable".

As a sidepoint, I think the actual vunerability is the fact that XUL can be effectively imported and utilised from a website, rather than a vunerability saying "you can spoof the xyz browser using http user-agent flags and jpeg images" as a bad example :)

Re:Vulnerability?

[FyRE666]

Excuse me but isn't this "vulnerability" the same thing as saying the pop-up ads that look just like IE on Windows XP are a IE/Windows XP vulnerability? This customizability (albeit automatic by the webpage) is closer to a feature than a vulnerability if you ask me.

Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over.

Re:Vulnerability?

[RzUpAnmsCwrds]

"Exactly - furthermore, you can easily do exactly the same with IE. You just create a new window, with the fullsize property set, then set the dimensions (so you then have a blank window with no chrome at all - not even a title bar) - after that it's simply a matter of adding your spoofed interface using DHTML... Game over."

This hasn't worked since Internet Explorer 6.0SP1. You can no longer resize a fullscreen window.

As of 6.0SP2 (due out soon, hopefully) you can no longer create a window without a statusbar.

Moreover, it is difficult to "fake out" the UI using DHTML. You may be able to fool inexperienced users, but it is much harder than doing the same thing using Mozilla's XUL.

Marked confidential?

[Kristoffer+Lunden]

According to the spoof demostration page, this has been known for five years(!) but the bug filed has been marked "confidential". You'd think that the Mozilla team could do better than security through obscurity - that is usually a reserved tactic for "the other team"....

Re:Marked confidential?

[archen]

I think the problem the Mozilla team has is the same problem that the IE team has, which is the same problem that the Opera team probably has - if you can make a blank window, you can redraw the interface pretty easy. But how do you fix it is the question? If you always draw the menu bar and the status bar you can still recreate the other elements. If you require that the browser always look like the parent window... well that would probably work, although many things on the web would look like crap.

I'm not making excuses for the Mozilla team (I mean this sort of freaks me out) , but I have no idea how to fix it. You could make all the bars "collapsed" on a "blank" window which would allow the user to always click them and look at the mormal UI again, but then you sort of expect that the user would know what those collapseable bars are for. Well it's better than nothing so maybe that's not such a bad idea... Anyway it's a problem with the way web browsers work as much as anything.

Re:Marked confidential?

[GoofyBoy]

So its ok for Mozilla/Firebird to utilize security through obscurity, yet when a closed source application?

And aren't a thousand eyes suppose to be looking at the code and fixing it? So shouldn't the fix come quickly? Isn't that the strength of OpenSource? If in theory it sounds good but in reality it doesn't work, what good is it to have a thousand eyes looking at the code for security purposes?

Re:Marked confidential?

[FuzzyBad-Mofo]

That's the thing, this code didn't have the proverbial thousand eyes looking at it, because the asshats marked it 'confidential' until just recently. If anything, this proves that security through obscurity is a losing proposition..

whoops

[ceejayoz]

Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.

Gotta love that security-by-obscurity...

What the hell?

[King_of_Prussia]

Of course, that won't stop me from using Firefox.

What kind of blind OSS zealotry is this? If somebody said something similar of IE there would be a unanimous uproar of upbraids from the slashdot community against whoever said it.

Is it somehow tolerable for OS software to have faults, even serious ones? Security through obscurity is no security at all, as I'm sure many Firefox users will learn one day. Personally, I believe statements like that, and the people that make them are what is holding OSS back from becoming a serious contender to the juggernauts of mocrosoft. If we continue to sit on laurels gained only through lucky ineptitude we will get precicely nowhere.

PS seems like google has started another round of gmail invites, I just got six. Logged in users tell me your funniest joke involving tux the linux penguin and the six funniest will recieve an invite (use a throwaway account, I'm sure this post will be followed by cowardly un-obfuscating trolls).

Re:What the hell?

[tirenours]

And from the linked page, a gem that we shouldn't overlook:

"if you don't have Firefox (you should get it!)"

Re:What the hell?

[Threni]

> What kind of blind OSS zealotry is this? If somebody said something similar of
> IE there would be a unanimous uproar of upbraids from the slashdot community
> against whoever said it.

Who cares what the `slashdot community` says? There's a mixture of people here. You don't have to listen to everyone. I'm not a zealot and i'm going to be sticking with Firefox, as I don't believe i'm at risk of this particular exploit, as I have a local webpage on my hard drive which is just a list of URLs to sites I use regularly, so unless that gets hacked i'm going to end up where I expect.

> Is it somehow tolerable for OS software to have faults, even serious ones?

All software has faults. IE has loads, Firefox has a few. On balance, it would appear that users of non-microsoft software are less at risk than microsoft users, and the problems get fixed more quickly. Or do you think this most recent security issue tips the balance back in favour of IE being the safest browser to use?

Re:What the hell?

[Spellbinder]

i am not even sure if this shoud be called bug
there is nothing it is not doing like it should
it may be stupid to allow javascript to hide the toolbars etc.
maybe it would be wise to disable those features in the next firefox version per default
it is easy to change right now...
and i don't see why this is worse than IE permitting execution of code on your machine

Re:What the hell?

[FooBarWidget]

There are many, many people out there who continue to use IE, even after knowing there are alternatives and that IE has many security holes. So what? Why doesn't anybody label those people as "MS zealots"? But when someone says he still continues to use FireFox he gets flamed down for being a zealot?

Re:What the hell?

[pebs]

Of course, that won't stop me from using Firefox.
What kind of blind OSS zealotry is this?

You know, I never advocate using Mozilla/Firefox due to lack of vulnerabilities; because deep down inside, I know there are a ton of vulnerabilities just waiting to be found. This is a problem for any reasonably complex software. Two reasons to use Mozilla/Firefox:

1. Feature-wise, it completely blows away IE
2. Standards compliant, which will help make the web a better place for all browsers

Also, it runs on many OS's, but that's not a good reason for everyone.

Currently, most of the malware/viruses/etc are for IE. But I have seen sites that try to get you to install Mozilla extensions that could be potentially malicious. With Mozilla's new-found popularity, it's only a matter of time before Mozilla gets attention from the malware writers. Get ready for it.

Re:What the hell?

[Dwonis]

That this bug was hidden away in the Bugzilla annals for over 4 years as Confidential is really intolerable. It reeks of trying to sweep an embarassing problem under the rug, which is the complete antithesis of Open Source development.

...

If a person, or group, can't be mature enough to admit a big, "oops, I/we made a really big design mistake. We'll fix it because many people are depending on us," then that person or group has no business working on such a fundamentally important piece of software as a web browser.

A workable solution to this kind of problem has been around for many years. Java applets, when run from appletviewer, display a very prominent notice telling the user that very thing.

The sad this about all this is that it's not even a fundamental design problem. Firefox has configuration options to eliminate this problem:

All you need to do is put something like this in your user.js file:

// disable target="_blank" (open in same window):
user_pref("browser.block.target_new_wind ow", true);

// prevent Javascript from trapping the context menu
user_pref("dom.event.contextmenu.enabled", false);

// ---- Stuff from http://flii.us/myworks/phoenix/pages/user.html ----

// don't allow popups to disable features

// if you know what the blank commented parts do, plz let me know
// so i can update my file here. :) THANKS!
// + special thanks to devin pohly for looking some of these up

// Prevent Javascript from changing window focus
user_pref("dom.disable_window_flip", true);

// Prevent JavaScript from resizing your browser +
user_pref("dom.disable_window_move_resize", true);

// Prevent the Close button from being disabled
user_pref("dom.disable_window_open_featu re.close", true);

// same as dom.disable_window_open_feature.locationbar ?? or nothing +
user_pref("dom.disable_window_open_feature.dire ctories", true);

// Prevent the URL bar from being disabled?
user_pref("dom.disable_window_open_feat ure.location", true);

// Prevent the Menu bar from being disabled
user_pref("dom.disable_window_open_featu re.menubar", true);

// Prevent the Minimize button from being disabled
user_pref("dom.disable_window_open_featu re.minimizable", true);

// Prevent the Bookmarks Toolbar from being disabled
user_pref("dom.disable_window_open_featu re.personalbar", true);

// Prevent window resizing from being disabled
user_pref("dom.disable_window_open_featu re.resizable", true);

// Prevent scrollbars from being disabled
user_pref("dom.disable_window_open_featu re.scrollbars", true);

// Prevent the Status bar from being disabled
user_pref("dom.disable_window_open_featu re.status", true);

// Prevent the Title bar from being disabled
user_pref("dom.disable_window_open_featu re.titlebar", true);

// Prevent Javascript from hiding toolbar in new windows? +
user_pref("dom.disable_window_open_feature.tool bar", true);

// Prevent Javascript from changing status bar text +
//user_pref("dom.disable_window_status_change", true);

Firefox, huh ?

[ElVirolo]

Of course, that won't stop me from using Firefox But then how do you know you ARE using the 'proper' Firefox if the interface is spoofed ?

Double standards?

[bamf]

Of course, that won't stop me from using Firefox.

If this was an issue with IE and not Firefox, I hope you'd still be saying the same thing?

However I suspect that you'd be denigrating IE as loudly as possible, while insisting that everyone should move immediately to Firefox.

Re:Double standards?

[soloport]

It works like this:
a) If you use anything Microsoft, you're an idiot.
b) If you use anything Linux, you're a maniac.

Sort of like slow-driver/fast-driver syndrome.

Bear in mind...

[Aluminum+Tuesday]

Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

It also fails to appear properly on the Macintosh.

If someone wanted to make some kind of exploit with this, they'd want to target a specific platform and Firefox revision. (eg. 0.9 on Windows) Since Firefox is in constant development, it could well change between revisions and render these spoofs obsolete.

I don't really see this as a Firefox vulnerability. Use any browser without a popup blocker, and you'll see a lot of popup ads pretending to be legitimate OS windows and dialogs. This is really just a variation of that.

Re:Bear in mind...

[JRIsidore]

Bear in mind that this spoof only looks convincing if you haven't changed your Firefox toolbar at all, ie. you haven't switched to smaller icons or added/removed/moved buttons.

Sure, if a toolbar suddenly looks like the default config all users will suspect a faked UI and get alerted instantly... you expect too much. IMHO many will simply assume the browser messed up their config and keep on browsing. Even if the majority gets suspicious, the small percentage that is fooled is most likely to be profitable enough for the phishers.
Any fresh Firefox installation asks about sending unencrypted form data, but not about executing arbitrary XUL stuff? This is a serious design flaw.

Javascript window "features"

[Ianoo]

The real problem here is not so much XUL, but Javascript!

Why does the browser even allow Javascript to create popup windows without toolbars, menu bars and status bars? This has to be one of the most annoying features of any web browser, I can't for the life of me understand why anyone would think up or need such a feature.

Without this Javascript, you couldn't turn the real menubars and toolbars off, and the problem would be much less severe since although you'd have a second set of interface controls within the browser window, the real status bar would be at the bottom, and the real menubar would be at the top.

Firefox already has a way to block JS from doing this and using several other of its most annoying features, and indeed I personally have these limits switched on already. Put about:config in the address bar, and change these entires to the following values (or look up how to make a user.js file on Google):

dom.disable_window_move_resize = true
dom.disable_window_open_feature.close = true
dom.disable_window_open_feature.directories = true
dom.disable_window_open_feature.location = true
dom.disable_window_open_feature.menubar = true
dom.disable_window_open_feature.minimizable = true
dom.disable_window_open_feature.personalbar = true
dom.disable_window_open_feature.resizable = true
dom.disable_window_open_feature.scrollbars = true
dom.disable_window_open_feature.status = true
dom.disable_window_open_feature.titlebar = true
dom.disable_window_open_feature.toolbar = true
dom.disable_window_status_change = true


Now try the example given in the summary again.

There's something rotten in Firefox.

[cyclop]

And not just for the bug itself (that probably will be fixed quite rapidly). There are two issues behind this.

(1).The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy. This is pure security-through-obscurity, in pure M$ style. If the bug wasn't "confidential",I'm sure we should have seen this fixed years ago.
I just hope most of the other open source/free software projects I rely on every day (Linux,KDE,Mplayer,Kile,Thunderbird,Nicotine and so on...) don't follow such a moron habit.

(2)How can the browser load XUL code and use it without warning? This is not a bug: this looks more like IE-like flawed design. Correct design shouldn't even *read* any data of this kind, let alone running it and let it deface the browser itself!

The Mozilla family of browsers/mail clients is still a crew of wonderful programs,and I'm proud of using them. But they will rapidly become IE-like crap, if they continue this way.

Re:There's something rotten in Firefox.

[AC-x]

I certainly think having confidential bugs was a very bad idea (who gets to see them I wonder?) but running XUL code is hard not to without making it quite useless, at work we plan to look at it with the view to using it in our web applications instead of HTML (which I think is one of the things it was originally for).

I mean, it's basically the same as using images to spoof the IE toolbars, Firefox just gives you the tools to do a better job of it.

The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

"Do you want this site to create an interface in XUL (phishing warning blah blah blah).
[Yes] [No] [x] remember this for xyz.com

Re:There's something rotten in Firefox.

[Jugalator]

The problem was known 4 years ago, but it was marked confidential. I'm not familiar with BugZilla,so I didn't even know there could be a "confidential" bug. This is the antithesis of Open Source philosophy.

I fully agree this is a very bad idea. All it takes is someone to get hacked, or in another way disclosing information about these secret bugs, and then they might start circulating among "underground" hackers without us knowing it, and voila we have an exploit for an issue a very large group of the developers didn't even know exist.

If they did know, they could of course have offered help in resolving the bug much earlier.

They need to start thinking about these things now as the browser might start to gain momentum. Even if it's not huge problems revealed, merely the fact that secret bugs exists and are revealed now and then (I have no doubt we'll see more in the future since this is probably not the only one), is severe negative publicity for the Mozilla products. It wouldn't be nearly as bad if the bugs weren't secret.

Re:There's something rotten in Firefox.

[AlXtreme]

The only thing I can think of that wouldn't make using XUL a total pita is to warn the users first time a site trys to use it, something like

How about just disabling the execution of remotely-retrieved XUL files from within Firefox by default? I'm surprised Firefox didn't warn before loading the spoof from the remote site, it clearly should as a minimum. However as more and more new users with the click-before-you-read syndrome try out Firefox having it disabled by default seems the only sane thing to do.

If you want to view your web applications internally using XUL, having a whitelist akin to the popup blocker seems the best way (don't bother user unless he figures out something is missing and he clicks on the disabled-window icon). For all us people just wanting to browse some HTML, automatically (or even after prompting) running XUL from a remote server is a flaw and potentially dangerous, and should be considered as such. I'm amazed this hasn't received more attention.

Re:Javascript should be enabled.

[adam+mcmaster]

what sort of moron would let a webpage run code on his machine anyway?

The average user.

Too much zealotry

[brainnolo]

Well, this IS a bug, and a very nasty one, as the author of that page said, everything in that page can be made to work. With some Javascripts you could even identify which version of browser is running and adapt to it. I've been impressed by clicking on the pad lock. I don't think web pages should ever need to load XUL, this is bad design for me. I don't get how can you say that this is not a bug, that this can be done also in IE. Is not true! Those for IE are almost all just gifs and are very easy to notice. But wait, Mozilla loading XULs via HTTP:// without even popping-up an alert is a feature, IE loading ActiveX is..bad design! Why? At least ActiveX's CAN be useful! Please stay with your feet on the floor.

too bad, Mozilla suite suckers!

[frankie]

We fans of the "bloated" original Mozilla are once again left in the dust by Firefox. Loading the test page results in:

XML Parsing Error: undefined entity
Location: http://www.nd.edu/~jsmith30/xul/test/browser.xul
Line Number 20, Column 1:
<window id="main-window"
^

In seriousness, that's probably just an artifact of Firefox-specific XUL in the example, and could be fixed by a dedicated black hat. I agree with Lanoo, all versions of Moz should disable javascript toolbar-hiding by default.

don't allow pop-ups without menu/location/etc

[orabidoo]

in about:config, or in user.js:

user_pref("dom.disable_window_open_feature.locatio n", true);
user_pref("dom.disable_window_open_feature.menubar ", true);
user_pref("dom.disable_window_open_feature.minimiz able", true);
user_pref("dom.disable_window_open_feature.resizab le", true);
user_pref("dom.disable_window_open_feature.scrollb ars", true);
user_pref("dom.disable_window_open_feature.status" , true);

This makes all pop-ups have a full navigation bar, location bar, status bar, and forces them to be resizable and scrollable.

It may look uglier than plain-window pop-ups, but it does keep you in full control of your browser.

With these options set, the spoof pages look obviously like what they are: a fake browser within a real browser.

remote content should only control "client area"

[nothings]

Although there are other strategic fixes discussed in the bugzilla discussion, it seems to me the first point of order is to NOT allow disabling/hiding of the toolbars and status line. These are tools for the user; there's no reason for "untrusted" sites to be able to do this. There seems to be a strange mentality of trusting the remote site's opinion over that of the user, rather than "sandboxing" the remote site's control into a limited part of the browser (the "client area" aka the "content area").

Some site authors may say "but I really want to author a popup that doesn't have all that crap etc," but I don't see how it can be that important, especially given all the consequent badness. The only case I can see for this is that sometimes you do trust the content author--that there is a notion of Mozilla as a platform for application development. And, hey, ok, code reuse is good, but using Mozilla as a platform for a company-internal application is a totally different scenario; can't we recognize that as a different scenario and give it different rules instead of using one browser to rule them all?

Now, without being able to disable the location bar, you can't spoof the location bar trivially. You could put up a second one and hope people don't notice, and yeah, some people won't. Unfortunately, as pointed out on bugzilla, there's a case that this won't stop: you create an entire faux window, one that appears to be in front of the main one, but is actually just a part of it. So in the middle of your page you have a seeming popup window with a seeming location bar with a faux address. It wouldn't be draggable outside of the client area of the main window, but some people wouldn't notice it.

It's hard to see how to defend against that, although I am a wacky retro guy who thinks all of this DHTML stuff has given content creators way more power than they really need, and there would be nothing wrong with just pushing back on the standards until things weren't spoofable. (Remember when standards meant you wrote an RFC about something you had already implemented and figured out really worked; it didn't become a standard until people had exercised it in the field? Whatever happened to that?) Or maybe Ian Hickson is right and we're all just raving paranoic nutjobs. But it seems like exactly the sort of 'power before security' attitude that's gotten MS in a lot of trouble.

An entirely different way of looking at the problem of spoofing is that we transmit our secrets "in the clear" to the remote site. (Obviously encrypted by https or whatever.) If the remote site is spoofing, they get our password (and can maybe even open a connection to paypal or whatever and pass through everything so we don't know it's been spoofed). There's no need for us to give the secret to the remote site, though; just prove that we know it. For example, the server can give us some random data, and we use a non-reversible encryption algorithm to combine the random data and the password, and return the result of that. The server can verify that it's the right result without anyone transmitting the actual password (though the server must store the actual password, and not a hash of it). If this were the technology we were using, a spoofer wouldn't be able to use the password, unless the spoofer DID open a connection to the real site first, and get the challenge; then it could pass it through, but then the spoofer would have only this one chance to make use of the spoofed data, since the next time the real site challenged, the spoofer is stuck; whereas currently a spoofer just captures the user/password combo and keeps it around for later processing. This would raise the complexity bar for making effective use of spoofing (including email phishing!), although I don't know if it's high enough. But good luck getting it into browsers AND making it impossible for spoofers to create what looks like a login prompt of this kind but actually is just a plain old plaintext submit.

Use shit.slashdot.org :)

Use link to get the pretty green colors back.

Re:Use shit.slashdot.org :)

[ColMustard]

Because it is the subdomain which determines the theme. There is no 'shit' section, so it reverts to the default theme. Try it with a real section: replace the 'it' subdomain with 'apple' and you'll see the Apple section theme.

Expect this to get more prevalent

[gedhrel]

It's a serious problem. XAML, XUL and even SVG are positioning themselves as web-delivered application delivery platforms. The idea is to provide a mechanism for web-delivered apps to NOT look like they're running in a browser; instead, permitting more integration with the desktop.

This kind of spoofing is going to become more problematic, not less.

It's not just a bug, it's a bad user interface!

[argent]

The ability for web pages to override *any* part of the standard user interface, even if they can't then replace the UI with their own imitation, is something that I've been pissed off about for years. If you want to build an application development platfrom that can do anything, make it a separate program... leave me in control of the user interface of my own software.

There shouldn't be a mechanism in the HTML/script/etc to do things like pop-ups, pop-behinds, moving windows, windows without toolbars and status bars... there should be an unbreakable firewall at the edge of the document portion of the browser.

what?

[Ender+Ryan]

Seriously, people have been doing this sort of thing for years, with every browser. This one happens to be a bit more ambitious than most, but I've seen the same thing done with IE in the past.

I've never heard anyone say it was MS's fault that people can make a convincing fake browser interface to fool people. Hell, all of slashdot has discussed this type of thing before, with the old ads some companies made to look like popup dialog boxes. Those fooled a lot of people, but I've never heard anyone say it was MS's fault.

But there's a very simple solution, and I can explain it in one sentence.

Never let anything, popup windows, javascript, etc., hide any part of the browser interface.

That's it. 100% solution to the "fake browser interface" problem. In fact, Firefox already has that partly covered, "Allow scripts to: [*] Hide the status bar" => "Allow scripts to: [ ] Hide the status bar". That setting should default to unchecked, and it shouldn't be user-modifiable. On my system, I immediately saw a double status-bar. But that's not enough, the menu bar and browser controls shouldn't be hidable either.

XP SP2 does this

[spideyct]

Good suggestion.

Also, Internet Explorer with Windows XP SP2 will prevent websites from creating pop-up windows without a status bar, or with the status bar positioned off screen. Microsoft has recognized that the status bar should always be visible, I think the Mozilla/Firefox team should follow suit.

http://www.microsoft.com/technet/prodtechnol/win xp pro/maintain/sp2brows.mspx#XSLTsection137121120120

Why is this article specific to Mozilla?

[jdkane]

I don't understand why this cannot be done without XUL/Mozilla. E.g. Why can this spoof not happen through Mozilla & plain DHTML (no XUL), or in IE too? Without XUL I can also pop up a new window without any chrome and then create my own fake chrome elements through DHTML (including drop-down menus, status bar acorss bottometc etc)

What am I missing when I don't understand why this problem is specific to XUL in Mozilla?

YOU CANNOT DO THE SAME THING WITH IE!!

[skidoo2]

At the risk of losing MASSIVE Karma points, I can't, in good conscience, fail to note that all of these claims that IE is vulnerable to this same type of spoofing are FALSE. You cannot create a fake browser window of ANY size or shape in IE with the same theme the user is employing for his or her desktop. This information is simply NOT available to IE's DHTML implementation. You can fool a retard with a borderless fake window, but you'll never guess my lime green ugly-ass color scheme is in place, and I **will** notice the rogue window.

This is why the Mozilla vulnerability is so serious. You could fool even very experienced users. Like sysadmins who log in as root. :-)

It's not that big a deal really

[carlmenezes]

What it does is mimic the interface of an UNMODIFIED Firefox. Install ANY exension that changes the menubar or toolbar and you'll notice all that gone in the new window.

Heck, you don't even need to install any extensions...just customize your toolbar a little...place ANY icon after the help menu and try the proof of concept...it doesn't work - the difference is too obvious.

Neat trick, definitely, but I don't see it as much more.

XUL is bloated and slow

[ngunton]

XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).

I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.

And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...

BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.

I wasn't vulnerable!

[Dwonis]

I couldn't figure out why I wasn't vulnerable, until I looked in my user.js file:

// More DOM/JavaScript options

// Make sure all pop-up windows are resizable:
user_pref("dom.disable_window_open_fea ture.resizable", true);

// Make sure all pop-up windows are minimizable:
user_pref("dom.disable_window_open_f eature.minimizable", true);

// Always display the menu in pop-up windows:
user_pref("dom.disable_window_open_featu re.menubar", true);

// Always display the Navigation Toolbar in pop-up windows:
user_pref("dom.disable_window_open_featu re.location", true);

That didn't prevent the statusbar hack, but it made everything else *really* obvious.

Have a look at about:config. There's a lot of useful stuff in there.

Re:Holy Shit

[HermanAB]

Try this, it mostly works:
./.mozilla/firefox/default.flc/prefs.js
user_pref("dom.disable_window_open_feature.locat ion", true);
user_pref("dom.disable_window_open_feature.menub ar", true);
user_pref("dom.disable_window_open_feature.minim izable", true);
user_pref("dom.disable_window_open_feature.resiz able", true);
user_pref("dom.disable_window_open_feature.scrol lbars", true);
user_pref("dom.disable_window_open_feature.statu s", true);

It is only the last line that seems to be buggy, since the status bar still gets overloaded.