Problems with phishing and pop-up protection in Firefox
The open source browser Firefox has problems with its protection against phishing and unwanted pop-ups. Firefox versions up to and including the current version 184.108.40.206 no longer recognise registered phishing URLs if extra slashes are inserted as directory separators, as in, for example, www.heise-security.co.uk///services. It is possible, in this way, to circumvent the phishing protection feature and to reactivate URLs from the blacklist for a new wave of phishing attacks. The problem is currently marked as resolved in the Mozilla bug tracking database, but it is not clear whether this means that the open source browser's behaviour has been changed.
The second pop-up, which requires that the user allow it, is, as long as it is able to predict the random name in the temporary folder, able to refer to the locally saved HTML file containing the script. However because the random number generator used by Firefox is initialised using the current system time, it is, according to Zalewski, possible to predict the file name with sufficient reliability. Whether this all works in practice is not yet clear, as no demo exploit is currently available.
- Firefox + popup blocker + XMLHttpRequest + srand() = oops by Michal Zalewski
- Firefox Phishing Protection Bypass Vulnerability (Multiple /) by Kanedaaa
- Bug 367538 – Firefox 220.127.116.11 Phishing Protection bypass from the Mozilla bug tracking database