lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Feb 2007 23:50:52 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Firefox: about:blank is phisher's best friend

Firefox suffers from a design flaw that can be used to confuse casual
users and evoke a false sense of authority when visiting a fraudulent
website. The flaw can be also used to bypass a fix for an old UI spoofing
bug that was thought to be addressed. This is a relatively minor issue,
but I thought it's worth reporting.

It is possible for a script to open 'about:blank' URL in a new tab; this
tab will be opened with a blank address bar (the behavior is different for
new windows, where the bar will be grayed out or hidden).

The script can then interact with this document as if it were a page in
the same domain, including the ability to inject of custom HTML. Some
methods of adding this HTML, such as win.document.write(), will update
document.location and the address bar to that of the interacting script,
which seems like an intuitive choice - the user is informed about the
origin of the displayed data.

Since about:blank is a minimal but valid HTML document with a DOM
structure, it is also possible to inject code through the use of
win.document.body.appendChild() and friends, in which case, the URL bar
remains blank, the 'reload' button is disabled, and 'page info' / 'page
source' menu options will show no useful data.

Having text displayed in a window that has an empty URL bar can confuse
the user as to the origin of the displayed data or security prompts, as if
they were internal browser messages; an empty address bar is considerably
less suspicious than a shady host name or a panic-inducing data: URL
scheme.

Furthermore, there was an old UI spoofing bug - when a window was opened
without URL bar and menus, the attacker could use strategically placed
graphics and HTML controls (or XUL code), so that the fake URL bar read
"google.com", while an IFRAME below could display "zombo.com" instead.
Similarly, he could spoof a native browser-originating modal warning or
dialog to have the user do something dumb. This problem was addressed by
forcibly prepending current site name to window title for all URL-bar-less
windows, so that the Internet origin of such a pop-up is clear, and so
that it will have a hard time mimicking a native window.

The problem is that 'about:blank' windows that have no document.location
defined can be used to inhibit this behavior - window title can be freely
controlled, except for the appended ' - Mozilla Firefox' string, and spoof
browser UI elements without the user having a reason to be suspicious.

A quick if naive demonstration of the two attacks described here can be
found at this URL:

  http://lcamtuf.coredump.cx/ffblank/

[ Note that I simply used a screenshot of my UI, which is a non-standard
  one, and the image is not compensated for other screen resolutions etc;
  as such, you should be able to see that the URL bar is unusual and
  non-interactive; that's not a limitation of this attack, but rather,
  an unloved bastard child of my sheer laziness. ]

<rant>
PS. On an unrelated note - in 2004, people began to notice that these
    nifty yellow security notification bars that appear on the top of
    MSIE7 and FF windows can be trivially spoofed by a webpage ("A plugin
    is required to display this content." / "An update to Firefox is
    available"), proving that placing messages in a script-accessible
    region of the window was a terrible, terrible design decision. These
    problems were not fixed, but rather dismissed as a user responsibility
    (to do what exactly, learn all legitimate notices and tell them from
    fakes?). What the hell?
</rant>

Cheers,
/mz
http://lcamtuf.coredump.cx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ