Problems with phishing and pop-up protection in Firefox
The open source browser Firefox has problems with its protection against phishing and unwanted pop-ups. Firefox versions up to and including the current version 2.0.0.1 no longer recognise registered phishing URLs if extra slashes are inserted as directory separators, as in, for example, www.heise-security.co.uk///services. It is possible, in this way, to circumvent the phishing protection feature and to reactivate URLs from the blacklist for a new wave of phishing attacks. The problem is currently marked as resolved in the Mozilla bug tracking database, but it is not clear whether this means that the open source browser's behaviour has been changed.
Meanwhile, Michal Zalewski claims to have discovered a possible vulnerability in the pop-up blocker in Firefox 1.5.0.9. It may permit an attacker to read arbitrary local files. According to Zalewski, to do so, an attacker needs to exploit the fact that Firefox downloads tendered files and saves them into a temporary folder without requiring user confirmation. Access to local files using the file:// namespace is not permitted for internet-originating websites, but locally saved JavaScript code is permitted to access local files.
Zalewski describes the putative attack scenario as follows: if, after the user clicks on the URL of a crafted website, the website first sends the HTML file containing JavaScript and a fraction of a second later sends a pop-up, Firefox will display it, because pop-ups as a direct response to user actions are permitted under the default settings. The pop-up thereby covers the download dialog box and the HTML file lands in a temporary file with a random name without requiring user interaction. The pop-up informs the user that the following pop-up must be allowed for correct function of the website.
The second pop-up, which requires that the user allow it, is, as long as it is able to predict the random name in the temporary folder, able to refer to the locally saved HTML file containing the script. However because the random number generator used by Firefox is initialised using the current system time, it is, according to Zalewski, possible to predict the file name with sufficient reliability. Whether this all works in practice is not yet clear, as no demo exploit is currently available.
See also:
- Firefox + popup blocker + XMLHttpRequest + srand() = oops by Michal Zalewski
- Firefox Phishing Protection Bypass Vulnerability (Multiple /) by Kanedaaa
- Bug 367538 – Firefox 2.0.0.1 Phishing Protection bypass from the Mozilla bug tracking database
(ju)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
