Slashdot Mirror
New Firefox iFrame Bug Bypasses URL Protections
Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."
"iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.
When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".
John
Never click on a URL within an email to take you to a website...always go directly to the website yourself.
Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)
Living With a Nerd
When will people finally migrate away from Windows, IE and all the security flaws?
Wait a sec...
OK so by URL obfuscation I assume it means using russian or other non-latin characters in place of latin ones in domain names to make a site domain look like paypal etc. But if you just put the login form in a frame THE TOP LEVEL PAGE STILL NEEDS A URL. I don't understand how that would help any, or am I misinterpreting "url obfuscation"? I link to the relevant bugzilla bug would be useful.
So Firefox has a security issue? All browsers do. Mozilla tends to fix them very quickly so I'm sure this will be patched soon enough.
Remember kids, 'Free Software' != 'Bug Free Software'.
If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
I run a Mac and Macs are clearly immune from this because we do not get hacked nor get viruses. Brb, downloading this .pdf someone just sent me. I don't know who they are but I think I won some kind of lottery
> Many of the mass SQL injection attacks and other large-scale Web-site compromises that have cropped up in the last couple of years have used iFrames as part of their attack vector.
Really? You need a an iframe for SQL injection? (hint, you don't even need a browser) The author clearly doesn't know what he's talking about.
How exactly would warning someone about the content of an iframe matter if the top level site has a bogus URL? You can't even see the URL in an iframe. I'm not going to log into bankofamerica.ru even if it's using an iframe, period.
Unless the bug is something like this:
1) I create an obfuscated URL that looks like bank of america, which FF would normally warn about.
2) I create an iframe in the page, which prevents FF from warning the user.
That would be a really bug, but again the author doesn't even appear to know enough to give relevant details like that.
My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.
Step Two: Install Ubuntu
This really isn't all that complicated.
Yeah, that'll make people look at the URLs and not just presume it's their banks' website...
Isn't the default webbrowser on Ubuntu Firefox anyway?
hmmm lets try this
www.SLASHD0T.org
www.SLASHDOT.org
Which one is the real one? Depending on your font you may not be able to tell at all... I could even precondition you in some way by using one letter over another a bunch so you brain thinks hmm maybe this is the right letter. 0ver the course of time you may be able to tell quickly. But that is only if you look at style all the time. Many people do not. I for example can see something that is 2 pixels off. Many people can look at the same screen and it looks fine to them.
(its the second one and I preconditioned you in the middle of the paragraph)
NOSCRIPT
"It's ok, I'm completely secure as long as my iron is off"
Is there a link to a working demo ?
Or relevant, given the flaw is in Firefox.
It's official. Most of you are morons.
if you don't know what a "good" URL looks like, take the time to educate yourself.
That is good pragmatic advice. But it points to a fundamental failing in the current architecture.
It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character...).
In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.
if you don't know what a "good" URL looks like
What does the URL of an iframe look like?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
It doesn't matter. If I am going to type in important information, I backspace out the scheme and url and type in what I know it should be. Everybody else should too.
Go green: turn off your refrigerator.
There is a newly discovered vulnerability in Mozilla's flagship Firefox browser
So all of Mozilla's other browsers are okay?
William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
Even better is if one uses double-byte characters and drops in Cyrillic characters. That domain may say one thing, but in reality, it might lead to a completely different rabbit hole.
Combine that with CAs who have been mentioned on /. as untrustworthy, and people may get a perfectly secure HTTPS connection to something that looks exactly like their bank's URL, but in reality is nowhere near.
Firefox runs on windows.
Maybe you should follow this steps before posting comments:
1) Think.
2) No, that's not thinking.
3) Nevermind.
And on Linux.
Indeed, I'm just typing this in a textbox in Firefox running on Linux.
The Tao of math: The numbers you can count are not the real numbers.
Firefox runs on windows.
Firefox also runs on Linux. Now that the argument has come full circle, I suggest you reread Tim C's comment and think a little harder about what he's saying: your OS doesn't matter.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Iframes have been the vector of attack in web domain for a long time. Blocking iframes has two fold advantage -- blocks these kind of exploits and blocks crap ads too. Blocking(/Unblocking them if required) them isnt that hard either.
"Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection" So, nothing of value will be lost if you're smart. Gotcha.
In a few releases, it will be worse than IE. It's not even in my top three browsers any more.
I would tell give you the list, but they're pretty obscure. You probably haven't heard of them.
True, but hovering over the URLs shows them in a clean font in the status bar of Firefox, so it's obvious which one is which.
But your point is taken. No one can know everything. but that's why we need to educate those who are prone to get stung by this stuff. My mantra to my parents and friends is, "If the link you are clicking on is unfamiliar or sent to you by someone you don't know, then just don't click it. Otherwise, proceed with caution." Sure, it isn't perfect, but it has significantly reduced the calls I get asking me to bail them out of a mess.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
and Macs
The solution is very simple: Cross-domain iframes should be prohibited. End of problem.
If the end user is dumb, they will get duped. There's only so much that browser protections can do to prevent you from your own sheer stupidity.
What!? And miss out on an opportunity to have all those comments?
When do people like you finally get it that Slashdot works as follows:
1) edit a post in such a way that it pisses off enough people to comment
2) profit
Slashdot is all about user generated content, and it doesn't take that much to get daily hundreds of comments from the geek police.
Running Firefox in Wine is not the same as installing Firefox on Linux. Windows vulnerabilities can show up in Wine, this is nothing new.
I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.
I do, too, which is probably why some kind of mandatory education about the internet should be necessary. We license drivers, maybe it's time to license internet users. I'm a libertarian, but sometimes people do need to be protected from their own stupidity. When you want to drive a vehicle around town, you need to learn the basics of how traffic flows. If you want to drive a bigger vehicle with a 5th wheel around town, you even need to understand some common failure points when connecting and disconnecting from a trailer and other things like how to read your air pressure and the operation principle of air brakes.
Perhaps if people decide to store personal information on these newfangled computer devices, they should be aware of the ways that their information could become compromised. They should be aware of how their system can even be subverted, and they should know common internet conventions like the anatomy of a URL (protocol, domain name, etc).
Computers are fantastically complicated devices. They're wonderful machines that do whatever you want. Unfortunately, people expect that computers are semi-living beings (kind of like Star Trek), and that they just naturally get worms and viruses over time, like people and pets get sick. Don't go out in the cold! You'll get sick. Don't surf without AV software or it'll get sick! Perhaps some mandatory user education could help people get away from superstitions like every internet website must needs start with "www dot" and end with "dot com." (My co-workers have a very difficult time when a client requests they access websites that don't start with "www dot.")
The repercussions of licensing internet users (anonymity, tin foil hats, etc) is beyond the scope of this (anonymous) post.
The author's nearly incomprehensible complaint (http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html) is essentially that this is allowed to load, while entering http://foo:bar@example.com in the address bar results in a phishing-related warning. The purpose of this warning is to confirm you actually understand the syntax of the URL displayed in that very address bar.
Let that sink in for a while.
If you don't see a fundamental difference between these cases that makes this report completely rubbish, you should probably surrender your geek badge now.
I think you're grossly over-complicating it. They don't need to know what http means. For people for whom that is too difficult a task, they should just know that it (or https) should be there. And even then I'm not really sure what kind of attack you could pull off by changing the protocol, assuming that they know the rest of the tips.
They do need to know the resolution order, but only generically. "The rightmost part of a domain is the important part of where you're going" is going to protect against the vast majority of potential attacks, and all it requires teaching is where the domain stops (the first slash after "http://").
The font thing is really contrived, and easily avoided by simply informing users that what the link says isn't always where it goes, and that they should look at their browser bar to see where it's actually pointing. In fact this is something that needs to be pointed out rather than taught, since almost all web users have seen a link in this fashion with descriptive text instead of a URL. Nobody thinks that's going to "in this fashion," whatever that is, so they already intuitively know it; they just need to be informed that it can be used for nefarious purposes and where to see what it's actually pointing at.
Can software do this? Yes. Should it? Yes. Should users rely on it? No. Making it seem like users need to attend classes in order to protect themselves from simple attacks like this is disengenuous. All it takes is a modicum of effort, which is prohibitive enough these days it seems.
Step Two: Install FreeBSD.
Exactly how much handholding do you require during any given day?
If you have NoScript installed, select "Options..." on the menu, go to the "Embeddings" tab, and ensure that "Forbid <IFRAME>" is enabled.
You can still click on any IFRAME to selectively allow it. AFAIK, this hasn't interfered with my browsing, but I tend not to go to sites likely to use IFRAMEs.
- T
I'm not running Firefox in Wine. I'm running the native Linux version.
The Tao of math: The numbers you can count are not the real numbers.
Take a hard look at one of the Metasploit frameworks (I'm sure most of you have heard of it). Now which OS has more vulnerabilities/exploit modules loaded for it? Go ahead... I'll wait.... That would be Windows, of course. Who owns Windows? Microsoft. Which Internet browser has the most exploits on Metasploit? No surprise there, it's MICROSOFT Internet Explorer. Granted, Firefox has a few too (such as the case here with IFRAMES) but it's no where near what IE comes with loaded with, straight out of the box. Now the point of this is simple... closed source versus open source. In a proprietary market, you run into the problem of having one large company (such as M$) try to "prioritize" their agendas to suit it's needs and it seems to show that they often lack in response to disclosed security vulnerabilities. It often takes much longer for M$ to patch a hole than it is for Mozilla. On top of all that, when M$ releases a product, it's often on a "deadline". They have to get xx units out by yy day. The whole "Well, we'll just fix that later" attitude tends to kick in and takes a toll rather quicky. I want to say that it's something like 300 out of the 500+ exploits in Metasploit are in Microsoft owned or other proprietary software. The rate at which open sourced bugs are FOUND and FIXED is incredibly fast in comparison. The amount of exploits you find for open source software is next to nil... and the ones that you DO find are often patched by users rather quickly as well. My point is simple... Firefox has an vulnerability... but what doesn't? But that's only of a small peanut compared to the mammoth amount of vulnerabilities discovered for IE. Now, I must say that I don't agree with Mozilla's viewpoint on not fixing the bug, but maybe they have their reasons. I'll do my own research/testing before I decided to take anyones side on that argument.
A)bort, R)etry, I)nfluence with large hammer
Most linux distributions come with wine pre-installed by default, so you're probably running that. Wine is not an emulator, but an (invisible) abstraction layer that allows you to run native windows code.
When a URL is loaded in an iframe, I don't even get to see it. So why should it be obfuscated, and how does it trick me if it is? URL obfuscation only works with humans, and only when they are actually able to see the URL. Whoever uses "View source" can parse HTML, how should they not be able to parse a URL?
The POC (specific conditions) is released here
http://www.secniche.org/videos/mozilla_bug_570658.html