Re: Firefox: about:blank is phisher's best friend

To: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Subject: Re: Firefox: about:blank is phisher's best friend
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Thu, 22 Feb 2007 21:27:58 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0702162209480.21898@dione> (Michal Zalewski's message of "Fri, 16 Feb 2007 23:50:52 +0100 (CET)")
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0702162209480.21898@dione>

* Michal Zalewski:

> Similarly, he could spoof a native browser-originating modal warning or
> dialog to have the user do something dumb. This problem was addressed by
> forcibly prepending current site name to window title for all URL-bar-less
> windows, so that the Internet origin of such a pop-up is clear, and so
> that it will have a hard time mimicking a native window.

This is the first time I read about the forced window title change.  I
hadn't noticed it earlier.  Do you think this is a good enough
security indicator (or indicator of origin, to be more precise)?

Follow-Ups:
- Re: Firefox: about:blank is phisher's best friend
  - From: Michal Zalewski

References:
- Firefox: about:blank is phisher's best friend
  - From: Michal Zalewski

Prev by Date: WebSpell > 4.0 Authentication Bypass and arbitrary code execution
Next by Date: Re[2]: [Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
Previous by thread: RE: Firefox: about:blank is phisher's best friend
Next by thread: Re: Firefox: about:blank is phisher's best friend
Index(es):
- Date
- Thread