<<< Date Index >>>     <<< Thread Index >>>

Fwd: New possible scam method : forged websites using XUL (Firefox)



----- Forwarded message from Jeff Smith -----

Mozilla Firefox allows remote sites to render XUL content that 
mimics the browser's user interface.  Using Javascript, the real 
interface can be turned off and replaced with fake UI components.  
For spoofing the UI, the effectiveness of XUL is far greater than 
that of static images or even DHTML.  The security implications of 
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183).  However, the 
Mozilla Foundation has kept the Bug confidential until recently, 
when a researcher noted the problem and published a 
particularly-effective demonstration, spoofing a "PayPal" login 
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html).

The demonstration takes advantage of the fact that the browser is 
designed to seamlessly render web applications written in XUL.  XUL
is a XML-based language that creates a user interface.  It can 
produce buttons, menus, dialog boxes, and many more UI elements.  
The most well-known application using XUL for its interface is the 
Firefox browser itself.  For more information, see 
http://www.mozilla.org/projects/xul/.

The entire interface to Firefox is contained in a ~70kb XUL file 
(chrome/browser.jar!content/browser/browser.xul).  With 
surprisingly few modifications, this same file was turned into a 
malicious web application.  The URL bar was modified to always 
display "https://www.paypal.com/"; and the status bar was modified 
to include the "SSL Security" padlock icon.  In addition, 
Javascript was added to make a spoofed "Security Info" dialog box 
pop up after double-clicking the padlock icon.  The spoofed dialog 
box also derives from an XUL file in the Firefox UI, modified to 
contain ostensibly-legitimate information about the SSL 
"certificate" of the page.

All said and done, the spoof successfully emulates a default 
installation of Firefox with frightening accuracy.  However, 
because untrusted web applications have no access to user 
preferences, most browser customizations are not reflected in the 
spoof.  This includes toolbar arrangement, the bookmarks menu, and 
some browser extensions.  (The browser theme [UI skin] is an 
exception; it is spoofed.)  In addition, to be effective, a user 
must click on a link on a malicious web page or (more likely) a 
forged email appearing to be from "PayPal".

The developers of Mozilla are currently looking into various 
methods to make a fake user interface more obvious.  The most 
likely solution will be to force the status bar to always be 
visible, as Microsoft will do with IE6 SP2.

More information:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183
This is the first mention of the problem that I am aware of. It was 
marked confidential for five years until 7-21-2004.

http://bugzilla.mozilla.org/show_bug.cgi?id=252198
This is the bug that was eventually filed on 7-19-2004.

http://bugzilla.mozilla.org/show_bug.cgi?id=252811
This is the proposed solution to the issue.

http://www.nd.edu/~jsmith30/xul/test/spoof.html
This is the demonstration of the spoof.

The author of the "PayPal" demonstration can be contacted via 
email at jsmith30 at nd dot edu.

--

David Mirza Ahmad
Symantec 

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12