Full Disclosure mailing list archives
Re: Firefox: about:blank is phisher's best friend
From: "Michael Wojcik" <Michael.Wojcik () microfocus com>
Date: Mon, 19 Feb 2007 07:52:17 -0800
From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Friday, 16 February, 2007 17:51 To: bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Firefox suffers from a design flaw that can be used to confuse casual users and evoke a false sense of authority when visiting a fraudulent website. ... It is possible for a script to open 'about:blank' URL in a new tab;
this
tab will be opened with a blank address bar (the behavior is different
for
new windows, where the bar will be grayed out or hidden).
Nice work, as always. A couple of points: - Disabling Javascript for the attacking site prevents these attacks from working, of course. Firefox's NoScript extension, which implements a scripting whitelist in a highly usable fashion, works nicely for this sort of thing. It will also prevent scripts from about:blank by default, though that's of limited use here. Unfortunately, it's unlikely that "casual users" will have NoScript installed, though I'm happy to see that it's one of the most popular Firefox extensions. - The third attack on your page ("Test it through about:blank proxy"), which is designed to open a spoofed-UI window with a "normal" title bar, produced a window with the title "about: - Google - Mozilla Firefox" on my test system (once I had NoScript temporarily allow Javascript from your site). I don't know offhand why I got the "about: -" prefix; perhaps because NoScript disables Javascript from "about:blank" by default? -- Michael Wojcik Principal Software Systems Developer, Micro Focus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox: about:blank is phisher's best friend Michael Wojcik (Feb 19)
- <Possible follow-ups>
- Re: Firefox: about:blank is phisher's best friend Florian Weimer (Feb 22)
- Re: Firefox: about:blank is phisher's best friend Michal Zalewski (Feb 22)