Slashdot Mirror
New Firefox iFrame Bug Bypasses URL Protections
Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."
"iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.
When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".
John
Never click on a URL within an email to take you to a website...always go directly to the website yourself.
Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)
Living With a Nerd
When will people finally migrate away from Windows, IE and all the security flaws?
Wait a sec...
OK so by URL obfuscation I assume it means using russian or other non-latin characters in place of latin ones in domain names to make a site domain look like paypal etc. But if you just put the login form in a frame THE TOP LEVEL PAGE STILL NEEDS A URL. I don't understand how that would help any, or am I misinterpreting "url obfuscation"? I link to the relevant bugzilla bug would be useful.
So Firefox has a security issue? All browsers do. Mozilla tends to fix them very quickly so I'm sure this will be patched soon enough.
Remember kids, 'Free Software' != 'Bug Free Software'.
If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
I run a Mac and Macs are clearly immune from this because we do not get hacked nor get viruses. Brb, downloading this .pdf someone just sent me. I don't know who they are but I think I won some kind of lottery
My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.
Is there a link to a working demo ?
Or relevant, given the flaw is in Firefox.
It's official. Most of you are morons.
if you don't know what a "good" URL looks like, take the time to educate yourself.
That is good pragmatic advice. But it points to a fundamental failing in the current architecture.
It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character...).
In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.
if you don't know what a "good" URL looks like
What does the URL of an iframe look like?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
It doesn't matter. If I am going to type in important information, I backspace out the scheme and url and type in what I know it should be. Everybody else should too.
Go green: turn off your refrigerator.
There is a newly discovered vulnerability in Mozilla's flagship Firefox browser
So all of Mozilla's other browsers are okay?
William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
Even better is if one uses double-byte characters and drops in Cyrillic characters. That domain may say one thing, but in reality, it might lead to a completely different rabbit hole.
Combine that with CAs who have been mentioned on /. as untrustworthy, and people may get a perfectly secure HTTPS connection to something that looks exactly like their bank's URL, but in reality is nowhere near.
And on Linux.
Indeed, I'm just typing this in a textbox in Firefox running on Linux.
The Tao of math: The numbers you can count are not the real numbers.
Firefox runs on windows.
Firefox also runs on Linux. Now that the argument has come full circle, I suggest you reread Tim C's comment and think a little harder about what he's saying: your OS doesn't matter.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Iframes have been the vector of attack in web domain for a long time. Blocking iframes has two fold advantage -- blocks these kind of exploits and blocks crap ads too. Blocking(/Unblocking them if required) them isnt that hard either.
"Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection" So, nothing of value will be lost if you're smart. Gotcha.
In a few releases, it will be worse than IE. It's not even in my top three browsers any more.
I would tell give you the list, but they're pretty obscure. You probably haven't heard of them.
True, but hovering over the URLs shows them in a clean font in the status bar of Firefox, so it's obvious which one is which.
But your point is taken. No one can know everything. but that's why we need to educate those who are prone to get stung by this stuff. My mantra to my parents and friends is, "If the link you are clicking on is unfamiliar or sent to you by someone you don't know, then just don't click it. Otherwise, proceed with caution." Sure, it isn't perfect, but it has significantly reduced the calls I get asking me to bail them out of a mess.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
The solution is very simple: Cross-domain iframes should be prohibited. End of problem.
The author's nearly incomprehensible complaint (http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html) is essentially that this is allowed to load, while entering http://foo:bar@example.com in the address bar results in a phishing-related warning. The purpose of this warning is to confirm you actually understand the syntax of the URL displayed in that very address bar.
Let that sink in for a while.
If you don't see a fundamental difference between these cases that makes this report completely rubbish, you should probably surrender your geek badge now.
I think you're grossly over-complicating it. They don't need to know what http means. For people for whom that is too difficult a task, they should just know that it (or https) should be there. And even then I'm not really sure what kind of attack you could pull off by changing the protocol, assuming that they know the rest of the tips.
They do need to know the resolution order, but only generically. "The rightmost part of a domain is the important part of where you're going" is going to protect against the vast majority of potential attacks, and all it requires teaching is where the domain stops (the first slash after "http://").
The font thing is really contrived, and easily avoided by simply informing users that what the link says isn't always where it goes, and that they should look at their browser bar to see where it's actually pointing. In fact this is something that needs to be pointed out rather than taught, since almost all web users have seen a link in this fashion with descriptive text instead of a URL. Nobody thinks that's going to "in this fashion," whatever that is, so they already intuitively know it; they just need to be informed that it can be used for nefarious purposes and where to see what it's actually pointing at.
Can software do this? Yes. Should it? Yes. Should users rely on it? No. Making it seem like users need to attend classes in order to protect themselves from simple attacks like this is disengenuous. All it takes is a modicum of effort, which is prohibitive enough these days it seems.
I'm not running Firefox in Wine. I'm running the native Linux version.
The Tao of math: The numbers you can count are not the real numbers.
Take a hard look at one of the Metasploit frameworks (I'm sure most of you have heard of it). Now which OS has more vulnerabilities/exploit modules loaded for it? Go ahead... I'll wait.... That would be Windows, of course. Who owns Windows? Microsoft. Which Internet browser has the most exploits on Metasploit? No surprise there, it's MICROSOFT Internet Explorer. Granted, Firefox has a few too (such as the case here with IFRAMES) but it's no where near what IE comes with loaded with, straight out of the box. Now the point of this is simple... closed source versus open source. In a proprietary market, you run into the problem of having one large company (such as M$) try to "prioritize" their agendas to suit it's needs and it seems to show that they often lack in response to disclosed security vulnerabilities. It often takes much longer for M$ to patch a hole than it is for Mozilla. On top of all that, when M$ releases a product, it's often on a "deadline". They have to get xx units out by yy day. The whole "Well, we'll just fix that later" attitude tends to kick in and takes a toll rather quicky. I want to say that it's something like 300 out of the 500+ exploits in Metasploit are in Microsoft owned or other proprietary software. The rate at which open sourced bugs are FOUND and FIXED is incredibly fast in comparison. The amount of exploits you find for open source software is next to nil... and the ones that you DO find are often patched by users rather quickly as well. My point is simple... Firefox has an vulnerability... but what doesn't? But that's only of a small peanut compared to the mammoth amount of vulnerabilities discovered for IE. Now, I must say that I don't agree with Mozilla's viewpoint on not fixing the bug, but maybe they have their reasons. I'll do my own research/testing before I decided to take anyones side on that argument.
A)bort, R)etry, I)nfluence with large hammer
Well, maybe you look at this page especially at the second download link. But maybe you are just trolling, after all.
The Tao of math: The numbers you can count are not the real numbers.