<<< Date Index >>>     <<< Thread Index >>>

Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.




Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass
Opera 9.10 Fraud Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]
Opera 9.10 Final [ Linux build 521 | Windows build 8679 ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Impact:
Low

+ Firefox Phishing Protection Description: Phishing Protection takes Firefoxs security to a new level, helping to safeguard your financial information and protect you from identity theft. When you encounter a Web site that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for.

+ Opera Fraud Protection Description: Oslo, Norway - December 18, 2006 Opera Software today introduced real-time Fraud Protection in its award-winning Web browser. Fraud Protection includes technology from GeoTrust, the leading digital certificate provider, and PhishTank, a collaborative clearing house for data and information about phishing on the Internet. Fraud Protection is available in Opera 9.1, the newest version of Opera's Web browser. Opera is available completely free at www.opera.com.

+ Bypass Description
It is possible to bypass Fraud Protection by add some characters to URL address. URL will be still valid and will work properly but we are not aware of Phishing warning.

At 2006.11 when version 9.10 was developed and Fraud Protection was tested I found that when we add "." char at the end of domain in URL field - DNS systems still resolve this address, Host: directive in HTTP GET will not break WWW server answer BUT for Fraud Protection it will be another site than original and Fraud Test will fail. For example: http://kaneda.bohater.net. != http://kaneda.bohater.net

After post to http://bugs.opera.com and on devel Opera forum, they made fix. [great!] In Opera 9.10 this bug dosn't work of course.

But today when I`m running Final 9.10 version I have found that when I added "/" character at the end of domain in URL it failed Phishing test again !!!

Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

FireFox is vulnerable in that same way.

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL: http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near future to abusive actions.

+ Opera Timeline: 2006.12.20 bug discovered 2006.12.21 "/" bug sended to http://bugs.opera.com 2007.01.19 no response and patch from vendor - probably will be fixed in future
2007.02.06 posted to Bugtraq

+ Firefox Timeline: 2007.01.09 bug discovered 2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538] 2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538 2007.02.06 posted to Bugtraq

Original Advisory: http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
http://kaneda.bohater.net/security/20061220-opera_9.10_final_bypass_fraud_protection.php

--
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member...     kaneda@xxxxxxxxxxx