Phishing with Firefox!

Discussion in 'Firefox' started by Reg Mouatt, Nov 3, 2004.

  1. Reg Mouatt

    Reg Mouatt Guest

    Food for thought - spotted this on:

    Secunia issued a security report detailing how most major web browsers
    with the tabbed browsing feature were vulnerable to two different

    First, the browsers. Recognize any you use?

    * Mozilla 1.7.3
    * Mozilla Firefox 0.10.1
    * Camino 0.8
    * Opera 7.54
    * Konqueror 3.2.2-6
    * Netscape 7.2
    * Avant Browser 9.02 build 101 and 10.0 build 029
    * Maxthon (MyIE2) 1.1.039

    Now, the vulnerabilities. One of them is pretty clever, and one of
    them, I think, is a bit overstated, but I'll explain that in a second.

    1. You have a couple of different websites open in a couple of
    tabs. You open another tab and head over to a trusted website, like
    PayPal's. You're on the PayPal site, when suddenly a dialog box opens,
    apparently from PayPal, and asks you to enter your password and your
    credit card info, "for verification purposes". You do so and keep
    using the PayPal site, never realizing that it was not the PayPal tab
    that spawned that dialog box, but a web site on a different, inactive
    tab. To see what I'm talking about, open the demo site at Secunia with
    an affected browser and follow the instructions. Very clever.

    There are two problems here. First, the browser doesn't easily
    keep the user informed as to which tab is responsible for the dialog
    box. That's an easy fix. Second, the browser shouldn't allow inactive
    tabs to spawn dialog boxes in the first place. Another easy fix. But
    still - not good. Clearly, none of the organizations creating these
    browsers ever envisioned such an attack. Of course, this attack will
    only work if you're already on a shady web site to begin with, and if
    that site knows you've gone to a site that it knows you trust, like
    PayPal. As Secunia itself points out, for this sneaky stunt to work it
    would "normally require that a user is tricked into opening a link
    from a malicious web site to a trusted web site in a new tab".
    Clearly, the likelihood of that string of events is pretty small. But
    it's still clever, and it would undoubtedly get a lot of folks in
    trouble if they somehow had both the "bad" and the "good" sites open
    at the same time in separate tabs.
    2. The second vulnerability strikes me as even less likely, but
    perhaps I'm wrong. Let's say you have a couple of different web sites
    open in a couple of tabs. You open another tab and head over to a
    trusted website, like PayPal's. You type in your username and
    password, but nothing shows up. You type it again. Still nothing.
    Assuming that PayPal's site is temporarily borked, you close the tab
    and continue on your merry way. Little do you know that everything you
    typed actually went into a form on a site found on one of your other
    tabs. If you want to see this in action, Secunia has a demo site up
    for this one as well.

    Reg Mouatt, Nov 3, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tony Raven

    Firefox Phishing vulnerability

    Tony Raven, Jan 7, 2005, in forum: Firefox
    Michel Doucet
    Jan 7, 2005
  2. Jay Calvert

    Major Phishing Hole Found In IE and OE

    Jay Calvert, Feb 17, 2005, in forum: Firefox
    Michael J. Pelletier
    Feb 18, 2005
  3. Stubby

    Netcraft anti-phishing Toolbar

    Stubby, Jun 4, 2005, in forum: Firefox
    Reg Mouatt
    Jun 7, 2005
  4. catwalker63

    OT: Phishing Quiz

    catwalker63, Jul 31, 2004, in forum: MCSE
    Aug 3, 2004
  5. History Fan

    Google anti-Phishing tool for Firefox

    History Fan, Feb 5, 2006, in forum: Firefox
    Tony Raven
    Feb 5, 2006

Share This Page