Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Firefox iFrame Bug Bypasses URL Protections

Posted by CmdrTaco on from the is-nothing-safe-any-more dept.

Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

26 of 118 comments (clear)

  1. iFrame? by plover · · Score: 3, Insightful

    "iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.

    When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".

    --
    John
    1. Re:iFrame? by Neil+Boekend · · Score: 2, Insightful

      Seriously? Off all the possible names Apple could have chosen from they chose to use a name that also describes an antiquated but still used technique that is abused in attacks?

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    2. Re:iFrame? by WrongSizeGlass · · Score: 3, Funny

      iFrames are commonly used to iNfect websites. iT's not always put there by the web designer.

    3. Re:iFrame? by plover · · Score: 2, Informative

      (Score: +5, Troll)

      Since when? 2009.

      You couldn't even be bothered to google the nonsense you're spouting before claiming I'm the troll?

      http://support.apple.com/kb/HT3905
      http://us.sanyo.com/News/SANYO-Dual-Cameras-are-World-s-First-with-iFrame-Video-Format
      http://en.wikipedia.org/wiki/iFrame_(video_format)

      Given that nothing factual in your post is correct, the only thing I can assume is that you're the troll, and that I'm feeding you. Congrats on a well-played hand of stupidity!

      --
      John
  2. Once again, kids by Pojut · · Score: 4, Insightful

    Never click on a URL within an email to take you to a website...always go directly to the website yourself.

    Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

    --
    Living With a Nerd
    1. Re:Once again, kids by PolygamousRanchKid+ · · Score: 3, Funny

      ...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

      I think the expression that you are looking for is spank that monkey.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:Once again, kids by jbarr · · Score: 5, Funny

      You're the 30,000th person today who has been told they are the one millionth visitor.

      Cool! What do I win?!?

      --
      My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
  3. Sigh... by Anonymous Coward · · Score: 2, Funny

    When will people finally migrate away from Windows, IE and all the security flaws?

    Wait a sec...

    1. Re:Sigh... by Anonymous Coward · · Score: 2, Informative

      From Using Lynx in a Graphical WWW:

      When Lynx encounters an inline (or floating) frame, it will display IFRAME: [Name_of_Source / Name_of_File]. The name of the source or file will be hyperlinked to the source file, allowing you go there.

      That is why. Now stop disagreeing with people in order to look insightful. It takes 3 seconds to Google that shit.

  4. That's why you don't rely on the bells & whist by jbarr · · Score: 4, Informative

    If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.

    --
    My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
  5. This does not affect my Firefox version by rshxd · · Score: 5, Funny

    I run a Mac and Macs are clearly immune from this because we do not get hacked nor get viruses. Brb, downloading this .pdf someone just sent me. I don't know who they are but I think I won some kind of lottery

    1. Re:This does not affect my Firefox version by eulernet · · Score: 3, Insightful

      What ? Slashdot works on a Safari browser ?

    2. Re:This does not affect my Firefox version by 644bd346996 · · Score: 2, Interesting

      Umm, most Mac users aren't vulnerable to PDF exploits because they use the built-in Preview.app to read PDFs, not Adobe's Reader, and Preview.app doesn't support JavaScript, which is required for any PDF exploit. You also can't disguise an application or shell script or executable binary or disk image by putting .pdf at the end of the filename.

    3. Re:This does not affect my Firefox version by MacTenchi · · Score: 2, Interesting

      Yes, but the iPhone jailbreak: a PDF vulnerability that lead to arbitrary code execution. Preview.app may not be as safe as you think.

  6. Re:I'm missing something by Abstrackt · · Score: 3, Informative

    You can update the status bar to indicate something else, you can use the legitimate site as a username for a non-legitimate site (i.e. www.google.com@www.malwaresite.com), or you can just make the URL look as official as possible (i.e. ebay-secure.com) and hope people believe it's authentic.

    You can also access the site numerically (e.g. http://1208929379/ is Google) but that's more for fun than evil.

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  7. Remembering passwords by Anonymous Coward · · Score: 3, Interesting

    My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.

    1. Re:Remembering passwords by natehoy · · Score: 4, Interesting

      Good start, but I'd go one step further. In fact, I do.

      Have your browser remember your passwords for you, but for any important passwords make the stored username and password invalid (or an incomplete one that you can enter the rest of, then just remember not to click on the "update" button that comes up). Even just dropping one character off the username and password is enough.

      That way, if you are fooled into an iframed URL, you'll see the symptom you describe, but if some future bug makes the password list vulnerable to attack, any potential attacker only gets (at most) only part of each password, not all of it.

      Also, always allow the bogus username/password to present once before you enter the real one. If you see a "login failed" screen that looks legit, you're probably good to go, and you can enter your real username and password. If you see anything that looks like it's trying to pretend to be your bank, you know something was wrong but you also know your account credentials didn't get disclosed.

      When I'm in the mood, I'll also sometimes whip up a quick temporary guest account on my computer to click on a few of the provided links in things that are obviously bogus and enter clearly ridiculous credentials into the resulting page a few times. Even the least attentive bank IT department would probably look askance at 10 failed login attempts for user "I_AM_A_HACKER" and want to consider tracing out their IP address. I'll probably never get any actual hackers caught, but it feels as good as ripping up all the junk mail I get and returning it in the little postage-paid envelopes they so thoughtfully provide. :)

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:Remembering passwords by The+MAZZTer · · Score: 2, Interesting

      Phishing sites will sometimes show a login failed screen on the first try so you think you entered a bad login. Then they redirect you to the real site login page so you can "try again".

  8. Re:I'm missing something by EMN13 · · Score: 2, Insightful

    So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

  9. Re:Oh Please ... by Ziekheid · · Score: 4, Informative

    It's not even a security issue as far as I'm concerned. It's just one of their bonus services not detecting bad sites properly. There is no vulnerability in the browser itself, it's the user.

  10. Re:I'm missing something by smalltux · · Score: 5, Informative

    The blog post that TFA refers to should be this one:
    http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html

    (Yea, their typing skills don't impress me either.)

    That in turn links to a BugZilla entry, though it's locked down at the moment.

  11. Re:Oh Please ... by Bill+Hayden · · Score: 2, Insightful

    Users are harder to patch though.

    --
    Protect your browser with the Force Safe Search add-on
  12. Re:Step One: Uninstall Windows by Tim+C · · Score: 3, Insightful

    Or relevant, given the flaw is in Firefox.

    --
    It's official. Most of you are morons.
  13. Re:That's why you don't rely on the bells & wh by JustinOpinion · · Score: 2, Insightful

    if you don't know what a "good" URL looks like, take the time to educate yourself.

    That is good pragmatic advice. But it points to a fundamental failing in the current architecture.

    It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character...).

    In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.

  14. Re:That's why you don't rely on the bells & wh by shish · · Score: 2, Interesting

    if you don't know what a "good" URL looks like

    What does the URL of an iframe look like?

    --
    I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
  15. Re:Oh Please ... by Johnath · · Score: 4, Informative

    I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:

    1) if you visit a page that uses an iframe
    2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com")
    3) then we don't pop up a warning that the url is deceptive

    What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.

    If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.

    If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ ).

    Johnathan