lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Feb 2007 07:52:17 -0800
From: "Michael Wojcik" <Michael.Wojcik@...rofocus.com>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox: about:blank is phisher's best friend

> From: Michal Zalewski [mailto:lcamtuf@...ne.ids.pl] 
> Sent: Friday, 16 February, 2007 17:51
> To: bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.grok.org.uk
> 
> Firefox suffers from a design flaw that can be used to confuse casual
> users and evoke a false sense of authority when visiting a fraudulent
> website. ...
> 
> It is possible for a script to open 'about:blank' URL in a new tab;
this
> tab will be opened with a blank address bar (the behavior is different
for
> new windows, where the bar will be grayed out or hidden).

Nice work, as always.  A couple of points:

- Disabling Javascript for the attacking site prevents these attacks
from working, of course.  Firefox's NoScript extension, which implements
a scripting whitelist in a highly usable fashion, works nicely for this
sort of thing.  It will also prevent scripts from about:blank by
default, though that's of limited use here.

Unfortunately, it's unlikely that "casual users" will have NoScript
installed, though I'm happy to see that it's one of the most popular
Firefox extensions.

- The third attack on your page ("Test it through about:blank proxy"),
which is designed to open a spoofed-UI window with a "normal" title bar,
produced a window with the title "about: - Google - Mozilla Firefox" on
my test system (once I had NoScript temporarily allow Javascript from
your site).  I don't know offhand why I got the "about: -" prefix;
perhaps because NoScript disables Javascript from "about:blank" by
default?

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists