Fwd: New possible scam method : forged websites using XUL (Firefox)
----- Forwarded message from Jeff Smith -----
Mozilla Firefox allows remote sites to render XUL content that
mimics the browser's user interface. Using Javascript, the real
interface can be turned off and replaced with fake UI components.
For spoofing the UI, the effectiveness of XUL is far greater than
that of static images or even DHTML. The security implications of
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
Mozilla Foundation has kept the Bug confidential until recently,
when a researcher noted the problem and published a
particularly-effective demonstration, spoofing a "PayPal" login
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html).
The demonstration takes advantage of the fact that the browser is
designed to seamlessly render web applications written in XUL. XUL
is a XML-based language that creates a user interface. It can
produce buttons, menus, dialog boxes, and many more UI elements.
The most well-known application using XUL for its interface is the
Firefox browser itself. For more information, see
http://www.mozilla.org/projects/xul/.
The entire interface to Firefox is contained in a ~70kb XUL file
(chrome/browser.jar!content/browser/browser.xul). With
surprisingly few modifications, this same file was turned into a
malicious web application. The URL bar was modified to always
display "https://www.paypal.com/" and the status bar was modified
to include the "SSL Security" padlock icon. In addition,
Javascript was added to make a spoofed "Security Info" dialog box
pop up after double-clicking the padlock icon. The spoofed dialog
box also derives from an XUL file in the Firefox UI, modified to
contain ostensibly-legitimate information about the SSL
"certificate" of the page.
All said and done, the spoof successfully emulates a default
installation of Firefox with frightening accuracy. However,
because untrusted web applications have no access to user
preferences, most browser customizations are not reflected in the
spoof. This includes toolbar arrangement, the bookmarks menu, and
some browser extensions. (The browser theme [UI skin] is an
exception; it is spoofed.) In addition, to be effective, a user
must click on a link on a malicious web page or (more likely) a
forged email appearing to be from "PayPal".
The developers of Mozilla are currently looking into various
methods to make a fake user interface more obvious. The most
likely solution will be to force the status bar to always be
visible, as Microsoft will do with IE6 SP2.
More information:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183
This is the first mention of the problem that I am aware of. It was
marked confidential for five years until 7-21-2004.
http://bugzilla.mozilla.org/show_bug.cgi?id=252198
This is the bug that was eventually filed on 7-19-2004.
http://bugzilla.mozilla.org/show_bug.cgi?id=252811
This is the proposed solution to the issue.
http://www.nd.edu/~jsmith30/xul/test/spoof.html
This is the demonstration of the spoof.
The author of the "PayPal" demonstration can be contacted via
email at jsmith30 at nd dot edu.
--
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12