New Firefox iFrame Bug Bypasses URL Protections 118
Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."
iFrame? (Score:3, Insightful)
"iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.
When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".
Once again, kids (Score:5, Insightful)
Never click on a URL within an email to take you to a website...always go directly to the website yourself.
Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)
Re:iFrame? (Score:2, Insightful)
Re:I'm missing something (Score:3, Insightful)
So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.
Re:Oh Please ... (Score:2, Insightful)
Re:This does not affect my Firefox version (Score:4, Insightful)
What ? Slashdot works on a Safari browser ?
Re:Step One: Uninstall Windows (Score:4, Insightful)
Or relevant, given the flaw is in Firefox.
Re:That's why you don't rely on the bells & wh (Score:3, Insightful)
if you don't know what a "good" URL looks like, take the time to educate yourself.
That is good pragmatic advice. But it points to a fundamental failing in the current architecture.
It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character... [azarask.in]).
In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.
Re:Once again, kids (Score:1, Insightful)
http://www.xkcd.com/570/ [xkcd.com]
Re:I'm missing something (Score:1, Insightful)
So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.
When a URL is obfuscated, Firefox warns you that things might not be what they appear to be. When that obfuscated URL is in an IFRAME, Firefox does not warn you that things might not be what they appear to be. Firefox's intended behaviour is to provide that warning. The intended behaviour does not match the actual behaviour. Therefore, this is a bug in Firefox.
The overall threat is a fundamental limitation of links. Firefox's attempt to mitigate that threat contains a bug.