Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Firefox iFrame Bug Bypasses URL Protections

Posted by CmdrTaco on from the is-nothing-safe-any-more dept.

Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

9 of 118 comments (clear)

  1. Oh Please ... by WrongSizeGlass · · Score: 1, Informative

    So Firefox has a security issue? All browsers do. Mozilla tends to fix them very quickly so I'm sure this will be patched soon enough.

    Remember kids, 'Free Software' != 'Bug Free Software'.

    1. Re:Oh Please ... by Ziekheid · · Score: 4, Informative

      It's not even a security issue as far as I'm concerned. It's just one of their bonus services not detecting bad sites properly. There is no vulnerability in the browser itself, it's the user.

    2. Re:Oh Please ... by Johnath · · Score: 4, Informative

      I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:

      1) if you visit a page that uses an iframe
      2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com")
      3) then we don't pop up a warning that the url is deceptive

      What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.

      If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.

      If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ ).

      Johnathan

  2. That's why you don't rely on the bells & whist by jbarr · · Score: 4, Informative

    If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.

    --
    My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
  3. Re:I'm missing something by Abstrackt · · Score: 3, Informative

    You can update the status bar to indicate something else, you can use the legitimate site as a username for a non-legitimate site (i.e. www.google.com@www.malwaresite.com), or you can just make the URL look as official as possible (i.e. ebay-secure.com) and hope people believe it's authentic.

    You can also access the site numerically (e.g. http://1208929379/ is Google) but that's more for fun than evil.

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  4. Re:Sigh... by Anonymous Coward · · Score: 2, Informative

    From Using Lynx in a Graphical WWW:

    When Lynx encounters an inline (or floating) frame, it will display IFRAME: [Name_of_Source / Name_of_File]. The name of the source or file will be hyperlinked to the source file, allowing you go there.

    That is why. Now stop disagreeing with people in order to look insightful. It takes 3 seconds to Google that shit.

  5. Re:I'm missing something by smalltux · · Score: 5, Informative

    The blog post that TFA refers to should be this one:
    http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html

    (Yea, their typing skills don't impress me either.)

    That in turn links to a BugZilla entry, though it's locked down at the moment.

  6. Re:Once again, kids by Anonymous Coward · · Score: 0, Informative

    They claim that all the code is audited but the unrealIRCD trojan (only in the Loonix version but not the Windows LOL), debian OpenSSL fiasco and that huge Apache flaw that allowed administrator access, just to name a few, show that this is pure fantasy.

  7. Re:iFrame? by plover · · Score: 2, Informative

    (Score: +5, Troll)

    Since when? 2009.

    You couldn't even be bothered to google the nonsense you're spouting before claiming I'm the troll?

    http://support.apple.com/kb/HT3905
    http://us.sanyo.com/News/SANYO-Dual-Cameras-are-World-s-First-with-iFrame-Video-Format
    http://en.wikipedia.org/wiki/iFrame_(video_format)

    Given that nothing factual in your post is correct, the only thing I can assume is that you're the troll, and that I'm feeding you. Congrats on a well-played hand of stupidity!

    --
    John