Closed Bug 584910 Opened 14 years ago Closed 11 years ago

a.href substitution on onmousedown event creates a phishing vulnerability

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 229050

People

(Reporter: dchichkov, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 HREF can be substituted after the user clicks on the link thus creating a potential phishing vulnerability. Example: A link pointing to "http://www.some-prominent-bank.com" takes user to to "http://www.some-prominent-bank-in-nigeria.com". <a href="http://www.some-prominent-bank.com" onmousedown="this.href='http://www.some-prominent-bank-in-nigeria.com'; return true;" > http://www.some-prominent-bank.com </a> Reproducible: Always Steps to Reproduce: 1. Create an .html file containing: <html><head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head><body><br>HREF substitution activated in the mousedown event that fires just before clicking in the link. <br>Example: A link pointing to "http://www.some-prominent-bank.com" takes user to to "http://www.some-prominent-bank-in-nigeria.com": <a href="http://www.some-prominent-bank.com/" onmousedown="this.href='http://www.some-prominent-bank-in-nigeria.com'; return true;"> http://www.some-prominent-bank.com </a> </body></html> 2. Open the file in Firefox; 3. Click on the http://www.some-prominent-bank.com link; 4. Link resolves into the http://www.some-prominent-bank-in-nigeria.com Actual Results: Link pointing to http://www.some-prominent-bank.com resolves into the http://www.some-prominent-bank-in-nigeria.com Expected Results: Alternative 1: disable a.href modification on onmousedown events; Alternative 2: issue a warning about a potential phishing attempt; Well known security vulnerability.
Component: Phishing Protection → General
QA Contact: phishing.protection → general
Version: unspecified → 3.6 Branch
See also bug 229050
Component: General → Phishing Protection
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reproduced on Mozilla/5.0 (X11; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0.
Version: 3.6 Branch → Trunk
>Alternative 2: issue a warning about a potential phishing attempt; There's no guarantee/evidence this kind of operation is necessarily a phishing attempt. Note that if the target site is a phishing site, SafeBrowsing will kick in.
This is well covered in older bugs. Going to dupe. See also bug 325274.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.