In association with heise online

08 February 2007, 23:04

Problems with phishing and pop-up protection in Firefox

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The open source browser Firefox has problems with its protection against phishing and unwanted pop-ups. Firefox versions up to and including the current version no longer recognise registered phishing URLs if extra slashes are inserted as directory separators, as in, for example, It is possible, in this way, to circumvent the phishing protection feature and to reactivate URLs from the blacklist for a new wave of phishing attacks. The problem is currently marked as resolved in the Mozilla bug tracking database, but it is not clear whether this means that the open source browser's behaviour has been changed.

Meanwhile, Michal Zalewski claims to have discovered a possible vulnerability in the pop-up blocker in Firefox It may permit an attacker to read arbitrary local files. According to Zalewski, to do so, an attacker needs to exploit the fact that Firefox downloads tendered files and saves them into a temporary folder without requiring user confirmation. Access to local files using the file:// namespace is not permitted for internet-originating websites, but locally saved JavaScript code is permitted to access local files.

Zalewski describes the putative attack scenario as follows: if, after the user clicks on the URL of a crafted website, the website first sends the HTML file containing JavaScript and a fraction of a second later sends a pop-up, Firefox will display it, because pop-ups as a direct response to user actions are permitted under the default settings. The pop-up thereby covers the download dialog box and the HTML file lands in a temporary file with a random name without requiring user interaction. The pop-up informs the user that the following pop-up must be allowed for correct function of the website.

The second pop-up, which requires that the user allow it, is, as long as it is able to predict the random name in the temporary folder, able to refer to the locally saved HTML file containing the script. However because the random number generator used by Firefox is initialised using the current system time, it is, according to Zalewski, possible to predict the file name with sufficient reliability. Whether this all works in practice is not yet clear, as no demo exploit is currently available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit