Re: Firefox: about:blank is phisher's best friend

2007-02-22 Thread Florian Weimer 
* Michal Zalewski:

 Similarly, he could spoof a native browser-originating modal warning or
 dialog to have the user do something dumb. This problem was addressed by
 forcibly prepending current site name to window title for all URL-bar-less
 windows, so that the Internet origin of such a pop-up is clear, and so
 that it will have a hard time mimicking a native window.

This is the first time I read about the forced window title change.  I
hadn't noticed it earlier.  Do you think this is a good enough
security indicator (or indicator of origin, to be more precise)?

RE: Firefox: about:blank is phisher's best friend

2007-02-20 Thread Michael Wojcik 
 From: Michal Zalewski [mailto:[EMAIL PROTECTED] 
 Sent: Friday, 16 February, 2007 17:51
 To: bugtraq@securityfocus.com
 Cc: full-disclosure@lists.grok.org.uk
 
 Firefox suffers from a design flaw that can be used to confuse casual
 users and evoke a false sense of authority when visiting a fraudulent
 website. ...
 
 It is possible for a script to open 'about:blank' URL in a new tab;
this
 tab will be opened with a blank address bar (the behavior is different
for
 new windows, where the bar will be grayed out or hidden).

Nice work, as always.  A couple of points:

- Disabling Javascript for the attacking site prevents these attacks
from working, of course.  Firefox's NoScript extension, which implements
a scripting whitelist in a highly usable fashion, works nicely for this
sort of thing.  It will also prevent scripts from about:blank by
default, though that's of limited use here.

Unfortunately, it's unlikely that casual users will have NoScript
installed, though I'm happy to see that it's one of the most popular
Firefox extensions.

- The third attack on your page (Test it through about:blank proxy),
which is designed to open a spoofed-UI window with a normal title bar,
produced a window with the title about: - Google - Mozilla Firefox on
my test system (once I had NoScript temporarily allow Javascript from
your site).  I don't know offhand why I got the about: - prefix;
perhaps because NoScript disables Javascript from about:blank by
default?

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Re: Firefox: about:blank is phisher's best friend

2007-02-17 Thread zonafirefox 
I tested it in IE7 and has the same problem. Opera 9.10 blocks the opening of 
the new window but fails in the second button.

Re: Firefox: about:blank is phisher's best friend

2007-02-17 Thread Michal Zalewski 
On Sat, 17 Feb 2007 [EMAIL PROTECTED] wrote:

 I tested it in IE7 and has the same problem. Opera 9.10 blocks the
 opening of the new window but fails in the second button.

With MSIE7, it is possible only if you check 'Allow websites to open
windows without address or status bar' for that particular zone;
otherwise, all windows will have a minimal URL bar attached.

I'm not sure whether this setting is default - if it is, yeah, that'd be
bad for MSIE.

As far as Opera is concerned - by default, Javascript can't hide address
bars, and if you change this option, the originating URL is still
displayed.

/mz