Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Firefox iFrame Bug Bypasses URL Protections

Posted by CmdrTaco on from the is-nothing-safe-any-more dept.

Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

10 of 118 comments (clear)

  1. iFrame? by plover · · Score: 3, Insightful

    "iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.

    When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".

    --
    John
    1. Re:iFrame? by Neil+Boekend · · Score: 2, Insightful

      Seriously? Off all the possible names Apple could have chosen from they chose to use a name that also describes an antiquated but still used technique that is abused in attacks?

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  2. Once again, kids by Pojut · · Score: 4, Insightful

    Never click on a URL within an email to take you to a website...always go directly to the website yourself.

    Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

    --
    Living With a Nerd
    1. Re:Once again, kids by Anonymous Coward · · Score: 1, Insightful

      http://www.xkcd.com/570/ [xkcd.com]

  3. Re:I'm missing something by EMN13 · · Score: 2, Insightful

    So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

  4. Re:Oh Please ... by Bill+Hayden · · Score: 2, Insightful

    Users are harder to patch though.

    --
    Protect your browser with the Force Safe Search add-on
  5. Re:This does not affect my Firefox version by eulernet · · Score: 3, Insightful

    What ? Slashdot works on a Safari browser ?

  6. Re:Step One: Uninstall Windows by Tim+C · · Score: 3, Insightful

    Or relevant, given the flaw is in Firefox.

    --
    It's official. Most of you are morons.
  7. Re:That's why you don't rely on the bells & wh by JustinOpinion · · Score: 2, Insightful

    if you don't know what a "good" URL looks like, take the time to educate yourself.

    That is good pragmatic advice. But it points to a fundamental failing in the current architecture.

    It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character...).

    In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.

  8. Re:I'm missing something by Anonymous Coward · · Score: 1, Insightful

    So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

    When a URL is obfuscated, Firefox warns you that things might not be what they appear to be. When that obfuscated URL is in an IFRAME, Firefox does not warn you that things might not be what they appear to be. Firefox's intended behaviour is to provide that warning. The intended behaviour does not match the actual behaviour. Therefore, this is a bug in Firefox.

    The overall threat is a fundamental limitation of links. Firefox's attempt to mitigate that threat contains a bug.