×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Firefox iFrame Bug Bypasses URL Protections

CmdrTaco posted more than 3 years ago | from the is-nothing-safe-any-more dept.

Mozilla 118

Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

118 comments

iFrame? (3, Insightful)

plover (150551) | more than 3 years ago | (#33275116)

"iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.

When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".

Re:iFrame? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33275228)

"iFrame"? Seriously? Of all the possible choices of camelCasing you could have picked from, "iFrame" is the only one that describes an Apple video format for the iPhone.

When referencing the inline frame HTML element, it's a lot clearer to use "iframe", "IFRAME", or even "IFrame".

iFrame? Seriously? Of all the possible choices of complaining about things you could have picked from, "iFrame" is the one you are going with? How about "14 million people effected by floods in Pakistan", "2 million AIDS deaths per year" or even any other issue that is actually relevant.

Oh, sorry. I'm off topic. /sarcasm

Re:iFrame? (1)

bejiitas_wrath (825021) | more than 3 years ago | (#33275470)

Is the iframe tag even compatible with XHTML 1.0? Who would use that when you could use the object tag? The object tag works better and is a little more up to date.

Re:iFrame? (3, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#33275554)

iFrames are commonly used to iNfect websites. iT's not always put there by the web designer.

Re:iFrame? (1, Funny)

Anonymous Coward | more than 3 years ago | (#33276906)

iFrames are commonly used to iNfect websites.

And you don't have to be an iNstein to discover that.

Re:iFrame? (0)

Anonymous Coward | more than 3 years ago | (#33276136)

Oh, sorry. I'm off topic. /sarcasm

Yeah, pretty much. Why even post drivel like that?

Re:iFrame? (1)

harlows_monkeys (106428) | more than 3 years ago | (#33276904)

How about "14 million people effected by floods in Pakistan"...

I want to hear more about this. How did the floods create 14 million people?

Re:iFrame? (2, Insightful)

Neil Boekend (1854906) | more than 3 years ago | (#33275392)

Seriously? Off all the possible names Apple could have chosen from they chose to use a name that also describes an antiquated but still used technique that is abused in attacks?

Re:iFrame? (0)

Anonymous Coward | more than 3 years ago | (#33276756)

You mean like calling their phone "iPhone", like the Cisco IP phone, and the OS "iOS", like a certain well-known router-OS?

Re:iFrame? (1)

Paracelcus (151056) | more than 3 years ago | (#33279378)

The iframe HTML statement is a valid way to format a webpage in a simple straightforward way. ie: <iframe src="foobar.html" style="border-width: 0pt;" frameborder="2" height="220" scrolling="auto" width="640"></iframe> .

Re:iFrame? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33275846)

Plover could you take Steve Jobs' wrinkled old iPecker from out of your mouth please - it is thoroughly improper.

Re:iFrame? (1, Troll)

beelsebob (529313) | more than 3 years ago | (#33276182)

(Score:-1, Just Plain Bollocks)

Since when does apple have a video format called iFrame. Last I checked apple had no video codecs, and only one video container format called mov, and as far as supporting other people's codecs and containers supported only MPEG4, h264 and mp4 other than their own mov.

Given that nothing factual in your post is correct, the only thing I can assume is that you're simply taking the opportunity to yell "oh my god, someone made me think of apple, now I've lost 'the game'". There's a word for people who do that – it's troll. Shit, now I've fed the troll :(.

Re:iFrame? (2, Informative)

plover (150551) | more than 3 years ago | (#33276852)

(Score: +5, Troll)

Since when? 2009.

You couldn't even be bothered to google the nonsense you're spouting before claiming I'm the troll?

http://support.apple.com/kb/HT3905 [apple.com]
http://us.sanyo.com/News/SANYO-Dual-Cameras-are-World-s-First-with-iFrame-Video-Format [sanyo.com]
http://en.wikipedia.org/wiki/iFrame_(video_format) [wikipedia.org]

Given that nothing factual in your post is correct, the only thing I can assume is that you're the troll, and that I'm feeding you. Congrats on a well-played hand of stupidity!

Geek police ahoy! (0)

Anonymous Coward | more than 3 years ago | (#33279520)

What!? And miss out on an opportunity to have all those comments?

When do people like you finally get it that Slashdot works as follows:

1) edit a post in such a way that it pisses off enough people to comment
2) profit

Slashdot is all about user generated content, and it doesn't take that much to get daily hundreds of comments from the geek police.

Once again, kids (4, Insightful)

Pojut (1027544) | more than 3 years ago | (#33275176)

Never click on a URL within an email to take you to a website...always go directly to the website yourself.

Also, use some common sense. You're the 30,000th person today who has been told they are the one millionth visitor...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

Re:Once again, kids (3, Funny)

PolygamousRanchKid (1290638) | more than 3 years ago | (#33275272)

...ignore the temptation to smack that bear (or whatever flash ads are doing nowadays)

I think the expression that you are looking for is spank that monkey.

Re:Once again, kids (1, Funny)

Anonymous Coward | more than 3 years ago | (#33275304)

30,000th person today who has been told they are the one millionth visitor

Hmmmm ... I like those odds.

Re:Once again, kids (5, Funny)

jbarr (2233) | more than 3 years ago | (#33275430)

You're the 30,000th person today who has been told they are the one millionth visitor.

Cool! What do I win?!?

Re:Once again, kids (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33276446)

http://www.xkcd.com/570/ [xkcd.com]

Re:Once again, kids (1)

Abstrackt (609015) | more than 3 years ago | (#33276716)

You're the 30,000th person today who has been told they are the one millionth visitor.

Cool! What do I win?!?

You used to win a trip to the tropics but due to cutbacks they just skip straight to giving you a virus.

Re:Once again, kids (1)

mlts (1038732) | more than 3 years ago | (#33277102)

The keylogger is free, and account compromise is guaranteed or no money back.

Re:Once again, kids (0)

Anonymous Coward | more than 3 years ago | (#33275458)

Actually, this brings out something that the open source community has overlooked. What if this is intentional? I dont mean to say that Mozilla does this intentionally, but a rogue programmer can always join a high profile project like this and contribute immensly, yet maintain a security hole to let him or his buddies exploit the bug int he long term. Has any thought given to this possibility at all?

Re:Once again, kids (1)

GameboyRMH (1153867) | more than 3 years ago | (#33278944)

Shoot the Duck
Punch the Monkey
Kick the Tiger
Poke the Pig
Lick the Walrus
Slap the Parrot
Rub the Eel
Squeeze the Cat
Flick the Fish
Squish the Worm

Take your Pick

Sigh... (2, Funny)

Anonymous Coward | more than 3 years ago | (#33275188)

When will people finally migrate away from Windows, IE and all the security flaws?

Wait a sec...

Re:Sigh... (1)

mfraz74 (1151215) | more than 3 years ago | (#33275220)

Perhaps we should all go back to using Lynx or other text only web browser. Who needs fancy graphics anyway?

Re:Sigh... (0)

nicolas.kassis (875270) | more than 3 years ago | (#33275244)

what does an iframe bug have to do with graphics? Lynx could have the same issues.

Re:Sigh... (2, Informative)

Anonymous Coward | more than 3 years ago | (#33275442)

From Using Lynx in a Graphical WWW [pacific.net.sg] :

When Lynx encounters an inline (or floating) frame, it will display IFRAME: [Name_of_Source / Name_of_File]. The name of the source or file will be hyperlinked to the source file, allowing you go there.

That is why. Now stop disagreeing with people in order to look insightful. It takes 3 seconds to Google that shit.

Re:Sigh... (0)

Anonymous Coward | more than 3 years ago | (#33275504)

Nearly all these security issues go back to the belief at Netscape and Microsoft in the mid 1990s that the web browser was going to become a software platform. They turned a markup text medium into a hash-pie of convulted scripts and plugins with scant attention to security or sane programming practices. If Mosaic had been an open source project from the outset then perhaps the current mess of security holes courtesy of javascript, frames, blink tags, ActiveX and Flash would've been avoided.

Re:Sigh... (1)

plover (150551) | more than 3 years ago | (#33275982)

Yes, because static, unchanging, unchangeable pages provide such a useful, engaging wealth of information, and provide an effective direct line to commerce.

Bemoaning 15 year old decisions embraced by the rest of the world is f'ing useless. Here's the key piece of information your ego refuses to acknowledge: it doesn't matter what you thought 15 years ago. Without you, HTML evolved anyway; browsers have evolved, consumers have evolved, and content providers have evolved. So get over your whiny self and start dealing with reality.

Re:Sigh... (0)

Anonymous Coward | more than 3 years ago | (#33276880)

In case you haven't noticed, such things as PHP and Perl exist. Text mode != static.Let me guess, you are one of those web designers who only make pages that only work with iE, right?

Re:Sigh... (1)

plover (150551) | more than 3 years ago | (#33277134)

Right, text mode is safe because PHP is so secure? Not following the train of your thought on that one...

I'm missing something (1)

The MAZZTer (911996) | more than 3 years ago | (#33275198)

OK so by URL obfuscation I assume it means using russian or other non-latin characters in place of latin ones in domain names to make a site domain look like paypal etc. But if you just put the login form in a frame THE TOP LEVEL PAGE STILL NEEDS A URL. I don't understand how that would help any, or am I misinterpreting "url obfuscation"? I link to the relevant bugzilla bug would be useful.

Re:I'm missing something (3, Informative)

Abstrackt (609015) | more than 3 years ago | (#33275358)

You can update the status bar to indicate something else, you can use the legitimate site as a username for a non-legitimate site (i.e. www.google.com@www.malwaresite.com), or you can just make the URL look as official as possible (i.e. ebay-secure.com) and hope people believe it's authentic.

You can also access the site numerically (e.g. http://1208929379/ [1208929379] is Google) but that's more for fun than evil.

Re:I'm missing something (1)

EMN13 (11493) | more than 3 years ago | (#33275508)

Right - is any of that a browser bug or is that merely people failing at phishing detection?

Re:I'm missing something (1)

Abstrackt (609015) | more than 3 years ago | (#33275582)

Right - is any of that a browser bug or is that merely people failing at phishing detection?

Those are just a few examples of what URL obfuscation looks like, which was the question I was answering. You could stick the two middle examples into an iframe if you wanted though.

Re:I'm missing something (1)

plover (150551) | more than 3 years ago | (#33276092)

Right - is any of that a browser bug or is that merely people failing at phishing detection?

The two are pretty much the same these days. Half the populace can't tell the difference between the internet and their browser, and those people will never understand security attacks like phishing or malicious redirection. But some of them at least can be taught that a warning box is a scary thing that you should click "no" on.

Re:I'm missing something (1)

AHuxley (892839) | more than 3 years ago | (#33275382)

could just be blue plain text with a link from a simple expected link text [slashdot.org] to a more complex url that has the known expected 'words' in it, hex code, IP addresses, dword, octal IP, just shifted by a few . . surrounded by complex letters and numbers.

Re:I'm missing something (2, Insightful)

EMN13 (11493) | more than 3 years ago | (#33275536)

So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

Re:I'm missing something (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33276602)

So - this isn't a bug, and the article is just attention-grabbing. It's a fundamental limitation of links.

When a URL is obfuscated, Firefox warns you that things might not be what they appear to be. When that obfuscated URL is in an IFRAME, Firefox does not warn you that things might not be what they appear to be. Firefox's intended behaviour is to provide that warning. The intended behaviour does not match the actual behaviour. Therefore, this is a bug in Firefox.

The overall threat is a fundamental limitation of links. Firefox's attempt to mitigate that threat contains a bug.

Re:I'm missing something (5, Informative)

smalltux (1127541) | more than 3 years ago | (#33275716)

The blog post that TFA refers to should be this one:
http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html [armorize.com]

(Yea, their typing skills don't impress me either.)

That in turn links to a BugZilla entry [mozilla.org] , though it's locked down at the moment.

Re:I'm missing something (1)

The MAZZTer (911996) | more than 3 years ago | (#33277574)

Ah, I see, it's the username@url trick they're referring too, and the dialog box that comes up. But that still would not affect the url of the top level frame, which users are going to check.

Oh Please ... (1, Informative)

WrongSizeGlass (838941) | more than 3 years ago | (#33275240)

So Firefox has a security issue? All browsers do. Mozilla tends to fix them very quickly so I'm sure this will be patched soon enough.

Remember kids, 'Free Software' != 'Bug Free Software'.

Re:Oh Please ... (4, Informative)

Ziekheid (1427027) | more than 3 years ago | (#33275626)

It's not even a security issue as far as I'm concerned. It's just one of their bonus services not detecting bad sites properly. There is no vulnerability in the browser itself, it's the user.

Re:Oh Please ... (2, Insightful)

Bill Hayden (649193) | more than 3 years ago | (#33275744)

Users are harder to patch though.

Re:Oh Please ... (0)

Anonymous Coward | more than 3 years ago | (#33276242)

But they are so much more fun when you can plug their security holes.

Re:Oh Please ... (0)

Anonymous Coward | more than 3 years ago | (#33277760)

Users are harder to patch though.

If you have the authority or enough higher ups on your side just take the computer away from the user for a while and politely explain that they don't have it because they didn't follow the security policy. Wipe the hard drive, reinstall everything and tell them the time it will probably take even longer to fix.

Re:Oh Please ... (4, Informative)

Johnath (85825) | more than 3 years ago | (#33280084)

I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:

1) if you visit a page that uses an iframe
2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com")
3) then we don't pop up a warning that the url is deceptive

What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.

If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.

If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ [mozilla.org] ).

Johnathan

That's why you don't rely on the bells & whist (4, Informative)

jbarr (2233) | more than 3 years ago | (#33275242)

If you rely on some alert or some fancy feature for protection, you really aren't being as proactive as you could. Regardless of what any alerts might or might not say, if the URL doesn't look right, err on the side of caution. While there are always exceptions, if you don't know what a "good" URL looks like, take the time to educate yourself.

Re:That's why you don't rely on the bells & wh (0)

Anonymous Coward | more than 3 years ago | (#33275642)

hmmm lets try this

www.SLASHD0T.org
www.SLASHDOT.org

Which one is the real one? Depending on your font you may not be able to tell at all... I could even precondition you in some way by using one letter over another a bunch so you brain thinks hmm maybe this is the right letter. 0ver the course of time you may be able to tell quickly. But that is only if you look at style all the time. Many people do not. I for example can see something that is 2 pixels off. Many people can look at the same screen and it looks fine to them.

(its the second one and I preconditioned you in the middle of the paragraph)

Re:That's why you don't rely on the bells & wh (1)

characterZer0 (138196) | more than 3 years ago | (#33276606)

It doesn't matter. If I am going to type in important information, I backspace out the scheme and url and type in what I know it should be. Everybody else should too.

Re:That's why you don't rely on the bells & wh (1)

mlts (1038732) | more than 3 years ago | (#33277262)

Even better is if one uses double-byte characters and drops in Cyrillic characters. That domain may say one thing, but in reality, it might lead to a completely different rabbit hole.

Combine that with CAs who have been mentioned on /. as untrustworthy, and people may get a perfectly secure HTTPS connection to something that looks exactly like their bank's URL, but in reality is nowhere near.

Re:That's why you don't rely on the bells & wh (1)

jbarr (2233) | more than 3 years ago | (#33278570)

True, but hovering over the URLs shows them in a clean font in the status bar of Firefox, so it's obvious which one is which.

But your point is taken. No one can know everything. but that's why we need to educate those who are prone to get stung by this stuff. My mantra to my parents and friends is, "If the link you are clicking on is unfamiliar or sent to you by someone you don't know, then just don't click it. Otherwise, proceed with caution." Sure, it isn't perfect, but it has significantly reduced the calls I get asking me to bail them out of a mess.

Re:That's why you don't rely on the bells & wh (2, Insightful)

JustinOpinion (1246824) | more than 3 years ago | (#33276000)

if you don't know what a "good" URL looks like, take the time to educate yourself.

That is good pragmatic advice. But it points to a fundamental failing in the current architecture.

It basically means that every person must become proficient in parsing URLs themselves. They have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M"), to understand what character sets and encodings are (to notice other character substitutions), and to even understand subtleties of character sets (like the unicode "mirror" character... [azarask.in] ).

In other words, it really sounds like we're asking people to do the task that a piece of parsing software should be doing. That's asking quite a lot of the average user. This doesn't mean that there is a simple solution. I certainly don't know what the answer is. But I'm just saying that knowing what a "good" URL looks like is not so simple. I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.

Re:That's why you don't rely on the bells & wh (0)

Anonymous Coward | more than 3 years ago | (#33280172)

I have sympathy for users who get confused. So anything we can do to help them differentiate good from bad is probably a good thing.

I do, too, which is probably why some kind of mandatory education about the internet should be necessary. We license drivers, maybe it's time to license internet users. I'm a libertarian, but sometimes people do need to be protected from their own stupidity. When you want to drive a vehicle around town, you need to learn the basics of how traffic flows. If you want to drive a bigger vehicle with a 5th wheel around town, you even need to understand some common failure points when connecting and disconnecting from a trailer and other things like how to read your air pressure and the operation principle of air brakes.

Perhaps if people decide to store personal information on these newfangled computer devices, they should be aware of the ways that their information could become compromised. They should be aware of how their system can even be subverted, and they should know common internet conventions like the anatomy of a URL (protocol, domain name, etc).

Computers are fantastically complicated devices. They're wonderful machines that do whatever you want. Unfortunately, people expect that computers are semi-living beings (kind of like Star Trek), and that they just naturally get worms and viruses over time, like people and pets get sick. Don't go out in the cold! You'll get sick. Don't surf without AV software or it'll get sick! Perhaps some mandatory user education could help people get away from superstitions like every internet website must needs start with "www dot" and end with "dot com." (My co-workers have a very difficult time when a client requests they access websites that don't start with "www dot.")

The repercussions of licensing internet users (anonymity, tin foil hats, etc) is beyond the scope of this (anonymous) post.

Re:That's why you don't rely on the bells & wh (1)

Dhalka226 (559740) | more than 3 years ago | (#33280578)

hey have to understand what the "http" means, what the resolution order is (why "facebook.com" is very different from "facebook.com.evil.uk"), to know about fonts (to differentiate ".com" and ".corn" or ".COM" from ".C0M")

I think you're grossly over-complicating it. They don't need to know what http means. For people for whom that is too difficult a task, they should just know that it (or https) should be there. And even then I'm not really sure what kind of attack you could pull off by changing the protocol, assuming that they know the rest of the tips.

They do need to know the resolution order, but only generically. "The rightmost part of a domain is the important part of where you're going" is going to protect against the vast majority of potential attacks, and all it requires teaching is where the domain stops (the first slash after "http://").

The font thing is really contrived, and easily avoided by simply informing users that what the link says isn't always where it goes, and that they should look at their browser bar to see where it's actually pointing. In fact this is something that needs to be pointed out rather than taught, since almost all web users have seen a link in this fashion [google.com] with descriptive text instead of a URL. Nobody thinks that's going to "in this fashion," whatever that is, so they already intuitively know it; they just need to be informed that it can be used for nefarious purposes and where to see what it's actually pointing at.

Can software do this? Yes. Should it? Yes. Should users rely on it? No. Making it seem like users need to attend classes in order to protect themselves from simple attacks like this is disengenuous. All it takes is a modicum of effort, which is prohibitive enough these days it seems.

Re:That's why you don't rely on the bells & wh (2, Interesting)

shish (588640) | more than 3 years ago | (#33276116)

if you don't know what a "good" URL looks like

What does the URL of an iframe look like?

This does not affect my Firefox version (5, Funny)

rshxd (1875730) | more than 3 years ago | (#33275330)

I run a Mac and Macs are clearly immune from this because we do not get hacked nor get viruses. Brb, downloading this .pdf someone just sent me. I don't know who they are but I think I won some kind of lottery

Re:This does not affect my Firefox version (-1, Redundant)

Neil Boekend (1854906) | more than 3 years ago | (#33275432)

[woosh]
Some of the attacks would still affect you. You could enter your login and password at a known webshop and have the hacker get those. The next move they could make is to alter your data and send themselves a lot of stuff and send the bill to you.
[/woosh]

Re:This does not affect my Firefox version (0)

logjon (1411219) | more than 3 years ago | (#33275488)

Woosh indeed...

Re:This does not affect my Firefox version (0)

Anonymous Coward | more than 3 years ago | (#33276096)

I think that was an attempt at karma whoring.... not seen that in a while. Or maybe I've become immune to it? Anyway, he acknowledged rsxhd was joking, but went fishing for a +i* mod by explaining the joke. Stunningly it has been moderated redundant, but is that because the moderator recognised the pointlessness of Neil's post, or was it a Mac fanboy upset to see a possible attack on a computer user, who is on a Mac, explained?

I guess if this is modded flamebait or something, we'll find out.

Re:This does not affect my Firefox version (2, Interesting)

644bd346996 (1012333) | more than 3 years ago | (#33276166)

Umm, most Mac users aren't vulnerable to PDF exploits because they use the built-in Preview.app to read PDFs, not Adobe's Reader, and Preview.app doesn't support JavaScript, which is required for any PDF exploit. You also can't disguise an application or shell script or executable binary or disk image by putting .pdf at the end of the filename.

Re:This does not affect my Firefox version (2, Interesting)

MacTenchi (104785) | more than 3 years ago | (#33277866)

Yes, but the iPhone jailbreak: a PDF vulnerability that lead to arbitrary code execution. Preview.app may not be as safe as you think.

Re:This does not affect my Firefox version (0)

Anonymous Coward | more than 3 years ago | (#33280506)

Then hack it already.

TFA is crap. (0)

Anonymous Coward | more than 3 years ago | (#33275394)

> Many of the mass SQL injection attacks and other large-scale Web-site compromises that have cropped up in the last couple of years have used iFrames as part of their attack vector.

Really? You need a an iframe for SQL injection? (hint, you don't even need a browser) The author clearly doesn't know what he's talking about.

How exactly would warning someone about the content of an iframe matter if the top level site has a bogus URL? You can't even see the URL in an iframe. I'm not going to log into bankofamerica.ru even if it's using an iframe, period.

Unless the bug is something like this:

1) I create an obfuscated URL that looks like bank of america, which FF would normally warn about.

2) I create an iframe in the page, which prevents FF from warning the user.

That would be a really bug, but again the author doesn't even appear to know enough to give relevant details like that.

Step One: Uninstall Windows (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33275466)

Step Two: Install Ubuntu [ubuntu.com]

This really isn't all that complicated.

Re:Step One: Uninstall Windows (0)

Anonymous Coward | more than 3 years ago | (#33275606)

Step Two: Install Ubuntu [ubuntu.com]

This really isn't all that complicated.

Yeah, that'll make people look at the URLs and not just presume it's their banks' website...

Isn't the default webbrowser on Ubuntu Firefox anyway?

Re:Step One: Uninstall Windows (3, Insightful)

Tim C (15259) | more than 3 years ago | (#33275916)

Or relevant, given the flaw is in Firefox.

Re:Step One: Uninstall Windows (0)

Anonymous Coward | more than 3 years ago | (#33277412)

Firefox runs on windows.

Re:Step One: Uninstall Windows (1)

maxwell demon (590494) | more than 3 years ago | (#33277782)

And on Linux.
Indeed, I'm just typing this in a textbox in Firefox running on Linux.

Re:Step One: Uninstall Windows (0)

Anonymous Coward | more than 3 years ago | (#33280124)

Running Firefox in Wine is not the same as installing Firefox on Linux. Windows vulnerabilities can show up in Wine, this is nothing new.

Re:Step One: Uninstall Windows (1)

Abstrackt (609015) | more than 3 years ago | (#33277812)

Firefox runs on windows.

Firefox also runs on Linux. Now that the argument has come full circle, I suggest you reread Tim C's comment and think a little harder about what he's saying: your OS doesn't matter.

Step One: Uninstall Linux (0)

Anonymous Coward | more than 3 years ago | (#33280744)

Step Two: Install FreeBSD.
Exactly how much handholding do you require during any given day?

Re:Step One: Uninstall Windows (0)

Anonymous Coward | more than 3 years ago | (#33278750)

and Macs

Re:Step One: Uninstall Windows (0)

Anonymous Coward | more than 3 years ago | (#33277438)

Maybe you should follow this steps before posting comments:

1) Think.
2) No, that's not thinking.
3) Nevermind.

Remembering passwords (3, Interesting)

Anonymous Coward | more than 3 years ago | (#33275468)

My theory is that in general (unless you're using a public PC) it's safer to get the browser to remember your passwords for you. It's smarter than you in that it matches by the exact real URL of a form page and so won't insert your credentials into a bogus page. However, by that point you'll be used to the browser typing in your credentials for you, and will be jarred out of complacency when you notice that it hasn't.

Re:Remembering passwords (4, Interesting)

natehoy (1608657) | more than 3 years ago | (#33276806)

Good start, but I'd go one step further. In fact, I do.

Have your browser remember your passwords for you, but for any important passwords make the stored username and password invalid (or an incomplete one that you can enter the rest of, then just remember not to click on the "update" button that comes up). Even just dropping one character off the username and password is enough.

That way, if you are fooled into an iframed URL, you'll see the symptom you describe, but if some future bug makes the password list vulnerable to attack, any potential attacker only gets (at most) only part of each password, not all of it.

Also, always allow the bogus username/password to present once before you enter the real one. If you see a "login failed" screen that looks legit, you're probably good to go, and you can enter your real username and password. If you see anything that looks like it's trying to pretend to be your bank, you know something was wrong but you also know your account credentials didn't get disclosed.

When I'm in the mood, I'll also sometimes whip up a quick temporary guest account on my computer to click on a few of the provided links in things that are obviously bogus and enter clearly ridiculous credentials into the resulting page a few times. Even the least attentive bank IT department would probably look askance at 10 failed login attempts for user "I_AM_A_HACKER" and want to consider tracing out their IP address. I'll probably never get any actual hackers caught, but it feels as good as ripping up all the junk mail I get and returning it in the little postage-paid envelopes they so thoughtfully provide. :)

Re:Remembering passwords (2, Interesting)

The MAZZTer (911996) | more than 3 years ago | (#33278728)

Phishing sites will sometimes show a login failed screen on the first try so you think you entered a bad login. Then they redirect you to the real site login page so you can "try again".

One word. (0, Troll)

carp3_noct3m (1185697) | more than 3 years ago | (#33275656)

NOSCRIPT

Re:One word. (0)

Anonymous Coward | more than 3 years ago | (#33275690)

It's a nice word, but what does blocking JavaScript have to do with iframe tag misuse?

Re:One word. (0)

Anonymous Coward | more than 3 years ago | (#33275920)

noscript blocks IFrame elements... duh!

Re:One word. (0)

Anonymous Coward | more than 3 years ago | (#33276732)

Perhaps the original poster should've used more words to illustrate that feature.

link to a working demo ? (1)

viralMeme (1461143) | more than 3 years ago | (#33275664)

Is there a link to a working demo ?

Re:link to a working demo ? (0)

Anonymous Coward | more than 3 years ago | (#33275986)

Unfortunately not - but on another subject, your bank has just been in contact and would like you to verify your details.

Please log in at:

http://yourbank.com.givemeyourdetails.com/login.aspx

It's all above board - honest!

Re:link to a working demo ? (0)

Anonymous Coward | more than 3 years ago | (#33276936)

Yep, at http://malware-r-us.org/scamDemo.html. You need to enter your credit card number to see the demo.

Block iframes (1)

Raghu13 (1084079) | more than 3 years ago | (#33277908)

Iframes have been the vector of attack in web domain for a long time. Blocking iframes has two fold advantage -- blocks these kind of exploits and blocks crap ads too. Blocking(/Unblocking them if required) them isnt that hard either.

Alert? (1)

Iggyhopper (1880812) | more than 3 years ago | (#33278200)

"Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection" So, nothing of value will be lost if you're smart. Gotcha.

Firefox blows (1)

A Big Gnu Thrush (12795) | more than 3 years ago | (#33278286)

In a few releases, it will be worse than IE. It's not even in my top three browsers any more.

I would tell give you the list, but they're pretty obscure. You probably haven't heard of them.

Prohibit cross domain iframes (1)

butlerm (3112) | more than 3 years ago | (#33278926)

The solution is very simple: Cross-domain iframes should be prohibited. End of problem.

Newsflash (0)

Anonymous Coward | more than 3 years ago | (#33279408)

If the end user is dumb, they will get duped. There's only so much that browser protections can do to prevent you from your own sheer stupidity.

What?!! (1)

gqx (1293372) | more than 3 years ago | (#33280334)

I can't believe that Slashdot got trolled so nicely. Here is the complete proof of concept:

<iframe src="http://foo:bar@example.com"></iframe>

The author's nearly incomprehensible complaint (http://blog.armorize.com/2010/08/iframes-and-url-stringency-mozilla.html [armorize.com] ) is essentially that this is allowed to load, while entering http://foo:bar@example.com in the address bar results in a phishing-related warning. The purpose of this warning is to confirm you actually understand the syntax of the URL displayed in that very address bar.

Let that sink in for a while.

If you don't see a fundamental difference between these cases that makes this report completely rubbish, you should probably surrender your geek badge now.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...