|
|
| |
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your financial information and protect you from identity theft. When you encounter a Web site that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for.
A vulnerability in Firefox's Phishing protection allows people that conduct phishing to fool Firefox into thinking that the site is secure where in fact it should have been marked a phishing site. |
| |
Credit:
The information has been provided by Kanedaaa.
The original article can be found at: http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
|
| |
Vulnerable Systems:
* Firefox 2.0.0.1
It is possible to bypass Phishing Protection by add some characters to URL address. URL will be still valid and will work properly but we are not aware of Phishing warning.
When we add "/" char at the end of domain in URL field - for Phishing Protection it will be another site than original and Phishing Protection Test will fail. Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning will be displayed
http://kaneda.bohater.net//phish.html - warning will NOT be displayed
Of course we can add more "/".
Like live shows Firefox HexEncoding Anti-Phishing bypass Phishers can use this technique in near future to abusive actions.
Timeline:
* 2007.01.09 bug discovered
* 2007.01.19 "/" bug sent to http://bugzilla.mozilla.org [Bug 367538]
* 2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
* 2007.02.06 posted to Bugtraq
|
|
|
| Subject:
|
duke |
Date: |
18 Apr. 2007 |
| From: |
dukessdukess.dsa |
This flaw is still unpatched since months!!!
Firefox 2.0.0.2 and 2.0.0.3 are still vulnerable!!! |
|
| Subject:
|
Still a bug in 2.0.0.7 |
Date: |
10 Oct. 2007 |
| From: |
Simon |
It is still a bug in version 2.0.0.7, and you can try it yourself with this "e;phishing"e; page - it is Mozillas test page and is not a real threath:
This triggers the phishing filter:
http://www.mozilla.com/firefox/its-a-trap.html
This does NOT trigger the phishing filter:
http://www.mozilla.com/firefox//its-a-trap.html |
|
|
|
|
