Re: New possible scam method : forged websites using XUL (Firefox)

To: "Peter J. Holzer" <hjp@xxxxxxxxx>
Subject: Re: New possible scam method : forged websites using XUL (Firefox)
From: Michael Reilly <michaelr@xxxxxxxxx>
Date: Tue, 03 Aug 2004 12:10:08 -0700
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040803081116.GB21160@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Cisco Systems
References: <20040730210508.GT19188@xxxxxxxxxxxxxxxxx> <000e01c476ef$ba5b8d80$1900a8c0@pc1> <20040802095917.GB1742@xxxxxxxxx> <20040803081116.GB21160@xxxxxxxxx>
User-agent: Mozilla Thunderbird 0.5 (X11/20040318)

Along the same lines I took a look at the spoof using my customized firefoxand it was an obvious fake -


1.  The font is wrong
2.  The window size is wrong (it is twice the width of my browser window and
    almost 50% longer)
3.  The fake toolbar was below my toolbar so both were viable
4.  The address bar was also in the wrong place so I had two.
5.  I also had two status bars

Isn't a possible solution to disable any overlaying of existing elements(toolbar, status bar, address bar, etc.) once they are loaded from thebrowser's and user's on disk config? Lock them even before opening a socketto connect to a site.

Of course if there is an exploit to modify the on disk files then this won'twork.


michael
Peter J. Holzer wrote:

On 2004-08-02 11:59:17 +0200, Peter J. Holzer wrote:

* add a UI to the "allow javascript only from trusted sites" feature.(few people know that mozilla can do that, and even for those, editing
 user.js is tedious).



More on the lines of "few people know that Mozilla can do that":

Daniel Veditz wrote in
<URL:http://bugzilla.mozilla.org/show_bug.cgi?id=22183#c97>:

| Or we could just force the location bar to be on using the existing
| pref, but obviously there must be some reluctance to that or it'd be
| done already.

So I started to look for the "existing pref", and sure enough, if you
write

user_pref("dom.disable_window_open_feature.location", true);

in your prefs.js, the spoof looks much less convincing.
(You can also set this preference via "about:config".)

        hp


--
---- ---- ----
Michael Reilly    michaelr@xxxxxxxxx
    Cisco Systems,  California

References:
- Fwd: New possible scam method : forged websites using XUL (Firefox)
  - From: David Ahmad
- Re: New possible scam method : forged websites using XUL (Firefox)
  - From: Marc
- Re: New possible scam method : forged websites using XUL (Firefox)
  - From: Peter J. Holzer
- Re: New possible scam method : forged websites using XUL (Firefox)
  - From: Peter J. Holzer

Prev by Date: Re: New possible scam method : forged websites using XUL (Firefox)
Next by Date: CDE libDtHelp and dtlogin vulnerabilities on IRIX
Previous by thread: Re: New possible scam method : forged websites using XUL (Firefox)
Next by thread: RE: New possible scam method : forged websites using XUL (Firefox)
Index(es):
- Date
- Thread