New Firefox iFrame Bug Bypasses URL Protections

Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

Remembering passwords

My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.

Re:Remembering passwords

[natehoy]

Good start, but I'd go one step further. In fact, I do.

Have your browser remember your passwords for you, but for any important passwords make the stored username and password invalid (or an incomplete one that you can enter the rest of, then just remember not to click on the "update" button that comes up). Even just dropping one character off the username and password is enough.

That way, if you are fooled into an iframed URL, you'll see the symptom you describe, but if some future bug makes the password list vulnerable to attack, any potential attacker only gets (at most) only part of each password, not all of it.

Also, always allow the bogus username/password to present once before you enter the real one. If you see a "login failed" screen that looks legit, you're probably good to go, and you can enter your real username and password. If you see anything that looks like it's trying to pretend to be your bank, you know something was wrong but you also know your account credentials didn't get disclosed.

When I'm in the mood, I'll also sometimes whip up a quick temporary guest account on my computer to click on a few of the provided links in things that are obviously bogus and enter clearly ridiculous credentials into the resulting page a few times. Even the least attentive bank IT department would probably look askance at 10 failed login attempts for user "I_AM_A_HACKER" and want to consider tracing out their IP address. I'll probably never get any actual hackers caught, but it feels as good as ripping up all the junk mail I get and returning it in the little postage-paid envelopes they so thoughtfully provide. :)

Re:Remembering passwords

[The+MAZZTer]

Phishing sites will sometimes show a login failed screen on the first try so you think you entered a bad login. Then they redirect you to the real site login page so you can "try again".

Re:That's why you don't rely on the bells & wh

[shish]

if you don't know what a "good" URL looks like

What does the URL of an iframe look like?

Re:This does not affect my Firefox version

[644bd346996]

Umm, most Mac users aren't vulnerable to PDF exploits because they use the built-in Preview.app to read PDFs, not Adobe's Reader, and Preview.app doesn't support JavaScript, which is required for any PDF exploit. You also can't disguise an application or shell script or executable binary or disk image by putting .pdf at the end of the filename.

Re:This does not affect my Firefox version

[MacTenchi]

Yes, but the iPhone jailbreak: a PDF vulnerability that lead to arbitrary code execution. Preview.app may not be as safe as you think.