Forgot your password?
typodupeerror
Mozilla Bug Firefox Security Technology

New Firefox iFrame Bug Bypasses URL Protections 118

Posted by CmdrTaco
from the is-nothing-safe-any-more dept.
Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."
This discussion has been archived. No new comments can be posted.

New Firefox iFrame Bug Bypasses URL Protections

Comments Filter:
  • iFrame? (Score:3, Insightful)

    by plover (150551) * on Tuesday August 17, 2010 @09:48AM (#33275116) Homepage Journal

    "iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.

    When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".

    • Re: (Score:2, Insightful)

      by Neil Boekend (1854906)
      Seriously? Off all the possible names Apple could have chosen from they chose to use a name that also describes an antiquated but still used technique that is abused in attacks?
      • The iframe HTML statement is a valid way to format a webpage in a simple straightforward way. ie: <iframe src="foobar.html" style="border-width: 0pt;" frameborder="2" height="220" scrolling="auto" width="640"></iframe> .
    • Surely 'IFrame' would be an interface declaration for 'Frame'? :)
    • Re: (Score:1, Troll)

      by beelsebob (529313)

      (Score:-1, Just Plain Bollocks)

      Since when does apple have a video format called iFrame. Last I checked apple had no video codecs, and only one video container format called mov, and as far as supporting other people's codecs and containers supported only MPEG4, h264 and mp4 other than their own mov.

      Given that nothing factual in your post is correct, the only thing I can assume is that you're simply taking the opportunity to yell "oh my god, someone made me think of apple, now I've lost 'the game'". There'

  • Once again, kids (Score:5, Insightful)

    by Pojut (1027544) on Tuesday August 17, 2010 @09:53AM (#33275176) Homepage

    Never click on a URL within an email to take you to a website...always go directly to the website yourself.

    Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

  • Sigh... (Score:2, Funny)

    by Anonymous Coward

    When will people finally migrate away from Windows, IE and all the security flaws?

    Wait a sec...

    • by mfraz74 (1151215)
      Perhaps we should all go back to using Lynx or other text only web browser. Who needs fancy graphics anyway?
  • OK so by URL obfuscation I assume it means using russian or other non-latin characters in place of latin ones in domain names to make a site domain look like paypal etc. But if you just put the login form in a frame THE TOP LEVEL PAGE STILL NEEDS A URL. I don't understand how that would help any, or am I misinterpreting "url obfuscation"? I link to the relevant bugzilla bug would be useful.
    • by Abstrackt (609015) on Tuesday August 17, 2010 @10:08AM (#33275358)

      You can update the status bar to indicate something else, you can use the legitimate site as a username for a non-legitimate site (i.e. www.google.com@www.malwaresite.com), or you can just make the URL look as official as possible (i.e. ebay-secure.com) and hope people believe it's authentic.

      You can also access the site numerically (e.g. http://1208929379/ [1208929379] is Google) but that's more for fun than evil.

      • by EMN13 (11493)

        Right - is any of that a browser bug or is that merely people failing at phishing detection?

        • by Abstrackt (609015)

          Right - is any of that a browser bug or is that merely people failing at phishing detection?

          Those are just a few examples of what URL obfuscation looks like, which was the question I was answering. You could stick the two middle examples into an iframe if you wanted though.

        • by plover (150551) *

          Right - is any of that a browser bug or is that merely people failing at phishing detection?

          The two are pretty much the same these days. Half the populace can't tell the difference between the internet and their browser, and those people will never understand security attacks like phishing or malicious redirection. But some of them at least can be taught that a warning box is a scary thing that you should click "no" on.

    • by AHuxley (892839)
      could just be blue plain text with a link from a simple expected link text [slashdot.org] to a more complex url that has the known expected 'words' in it, hex code, IP addresses, dword, octal IP, just shifted by a few . . surrounded by complex letters and numbers.
      • Re: (Score:3, Insightful)

        by EMN13 (11493)

        So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

          When a URL is obfuscated, Firefox warns you that things might not be what they appear to be. When that obfuscated URL is in an IFRAME, Firefox does not warn you that things might not be what they appear to be. Firefox's intended behaviour is to provide that warning. The intended behaviour does not match the actual behaviour. Therefore, this is a bug in Firefox.

          The overall threat is a fundamental limitation of links. Firefox's attempt to mitigate that threat contains a bug.

    • by smalltux (1127541) on Tuesday August 17, 2010 @10:42AM (#33275716) Homepage
      The blog post that TFA refers to should be this one:
      http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html [armorize.com]

      (Yea, their typing skills don't impress me either.)

      That in turn links to a BugZilla entry [mozilla.org], though it's locked down at the moment.
  • Oh Please ... (Score:2, Informative)

    So Firefox has a security issue? All browsers do. Mozilla tends to fix them very quickly so I'm sure this will be patched soon enough.

    Remember kids, 'Free Software' != 'Bug Free Software'.
    • Re:Oh Please ... (Score:5, Informative)

      by Ziekheid (1427027) on Tuesday August 17, 2010 @10:33AM (#33275626)

      It's not even a security issue as far as I'm concerned. It's just one of their bonus services not detecting bad sites properly. There is no vulnerability in the browser itself, it's the user.

      • Re: (Score:2, Insightful)

        by Bill Hayden (649193)
        Users are harder to patch though.
      • Re:Oh Please ... (Score:5, Informative)

        by Johnath (85825) on Tuesday August 17, 2010 @03:55PM (#33280084) Homepage

        I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:

        1) if you visit a page that uses an iframe
        2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com")
        3) then we don't pop up a warning that the url is deceptive

        What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.

        If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.

        If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ [mozilla.org] ).

        Johnathan

  • by jbarr (2233) on Tuesday August 17, 2010 @09:59AM (#33275242) Homepage

    If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.

    • Re: (Score:3, Insightful)

      if you don't know what a "good" URL looks like, take the time to educate yourself.

      That is good pragmatic advice. But it points to a fundamental failing in the current architecture.

      It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and

      • by Dhalka226 (559740)

        hey have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M")

        I think you're grossly over-complicating it. They don't need to know what http means. For people for whom that is too difficult a task, they should just know that it (or https) should be there. And even then I'm not really sure what kind of attack you could pull off by changing the prot

    • Re: (Score:3, Interesting)

      by shish (588640)

      if you don't know what a "good" URL looks like

      What does the URL of an iframe look like?

  • by rshxd (1875730) on Tuesday August 17, 2010 @10:06AM (#33275330)
    I run a Mac and Macs are clearly immune from this because we do not get hacked nor get viruses. Brb, downloading this .pdf someone just sent me. I don't know who they are but I think I won some kind of lottery
    • by eulernet (1132389) on Tuesday August 17, 2010 @10:47AM (#33275774)

      What ? Slashdot works on a Safari browser ?

      • Who uses Safari on Mac? It's AWFUL! // happily using Chrome, and Firefox for Netflix.

        • by eulernet (1132389)

          Slashdot is so buggy that I doubt that it works on anything else than IE and Firefox ;-)

          • by swilly (24960)

            Actually, Slashdot on Chrome performs reasonably well. For many sites, the performance difference between Firefox and Chrome is hard to detect, but with Slashdot the difference is almost as big as it is between Firefox and IE.

    • Re: (Score:2, Interesting)

      by 644bd346996 (1012333)

      Umm, most Mac users aren't vulnerable to PDF exploits because they use the built-in Preview.app to read PDFs, not Adobe's Reader, and Preview.app doesn't support JavaScript, which is required for any PDF exploit. You also can't disguise an application or shell script or executable binary or disk image by putting .pdf at the end of the filename.

      • Re: (Score:2, Interesting)

        by MacTenchi (104785)

        Yes, but the iPhone jailbreak: a PDF vulnerability that lead to arbitrary code execution. Preview.app may not be as safe as you think.

    • by mrmeval (662166)

      I have iFrames blocked the same way I have iPhones, iPods, iDicks, iDildos, iPansies, iDemoccrats and iRepublicans blocked.

  • by Anonymous Coward on Tuesday August 17, 2010 @10:19AM (#33275468)

    My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.

    • by natehoy (1608657) on Tuesday August 17, 2010 @12:05PM (#33276806) Journal

      Good start, but I'd go one step further. In fact, I do.

      Have your browser remember your passwords for you, but for any important passwords make the stored username and password invalid (or an incomplete one that you can enter the rest of, then just remember not to click on the "update" button that comes up). Even just dropping one character off the username and password is enough.

      That way, if you are fooled into an iframed URL, you'll see the symptom you describe, but if some future bug makes the password list vulnerable to attack, any potential attacker only gets (at most) only part of each password, not all of it.

      Also, always allow the bogus username/password to present once before you enter the real one. If you see a "login failed" screen that looks legit, you're probably good to go, and you can enter your real username and password. If you see anything that looks like it's trying to pretend to be your bank, you know something was wrong but you also know your account credentials didn't get disclosed.

      When I'm in the mood, I'll also sometimes whip up a quick temporary guest account on my computer to click on a few of the provided links in things that are obviously bogus and enter clearly ridiculous credentials into the resulting page a few times. Even the least attentive bank IT department would probably look askance at 10 failed login attempts for user "I_AM_A_HACKER" and want to consider tracing out their IP address. I'll probably never get any actual hackers caught, but it feels as good as ripping up all the junk mail I get and returning it in the little postage-paid envelopes they so thoughtfully provide. :)

      • Re: (Score:3, Interesting)

        by The MAZZTer (911996)
        Phishing sites will sometimes show a login failed screen on the first try so you think you entered a bad login. Then they redirect you to the real site login page so you can "try again".
  • Is there a link to a working demo ?
  • There is a newly discovered vulnerability in Mozilla's flagship Firefox browser

    So all of Mozilla's other browsers are okay?

  • Iframes have been the vector of attack in web domain for a long time. Blocking iframes has two fold advantage -- blocks these kind of exploits and blocks crap ads too. Blocking(/Unblocking them if required) them isnt that hard either.
  • "Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection" So, nothing of value will be lost if you're smart. Gotcha.
  • In a few releases, it will be worse than IE. It's not even in my top three browsers any more.

    I would tell give you the list, but they're pretty obscure. You probably haven't heard of them.

  • The solution is very simple: Cross-domain iframes should be prohibited. End of problem.

  • by gqx (1293372)
    I can't believe that Slashdot got trolled so nicely. Here is the complete proof of concept:

    <iframe src="http://foo:bar@example.com"></iframe>

    The author's nearly incomprehensible complaint (http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html [armorize.com]) is essentially that this is allowed to load, while entering http://foo:bar@example.com in the address bar results in a phishing-related warning. The purpose of this warning is to confirm you actually understand the syntax of the URL d

  • Take a hard look at one of the Metasploit frameworks (I'm sure most of you have heard of it). Now which OS has more vulnerabilities/exploit modules loaded for it? Go ahead... I'll wait.... That would be Windows, of course. Who owns Windows? Microsoft. Which Internet browser has the most exploits on Metasploit? No surprise there, it's MICROSOFT Internet Explorer. Granted, Firefox has a few too (such as the case here with IFRAMES) but it's no where near what IE comes with loaded with, straight out of t

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...