Re: Fwd: New possible scam method : forged websites using XUL (Firefox)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
From: Justin Polazzo <jo@xxxxxxxx>
Date: 2 Aug 2004 13:15:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040730210508.GT19188@xxxxxxxxxxxxxxxxx>

"The security implications of 
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183).  However, the 
Mozilla Foundation has kept the Bug confidential until recently, 
when a researcher noted the problem and published a 
particularly-effective demonstration, spoofing a "PayPal" login 
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."

5 Years to fix a vuln? I am not sure if even Microsoft has been that slow to 
confront a security flaw. Has anyone heard an explanation as to why this was 
kept confidential and swept under the rug until now?


BTW: Thank you Mr. Smith for an excellent page.

Jo

Follow-Ups:
- Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
  - From: Peter J. Holzer

Prev by Date: Re: Citadel/UX Remote DoS Vulnerability
Next by Date: SideFind
Previous by thread: [ GLSA 200408-01 ] MPlayer: GUI filename handling overflow
Next by thread: Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
Index(es):
- Date
- Thread