Fix for URL Spoofing Security Vulnerability Checked in to Mozilla Trunk and 1.6 Branch

Wednesday January 7th, 2004

The latest nightly builds of Mozilla feature a fix for the URL spoofing security vulnerability discovered in several browsers last month. A patch was checked in to the trunk and 1.6 branch yesterday, meaning that both the forthcoming Mozilla 1.6 and Mozilla Firebird 0.8 will be immune to the flaw.

In vulnerable versions of Mozilla, the address displayed in the Status Bar while hovering over a link is truncated if the characters %00 are present in the URL of the destination page. An attacker could exploit this to make a link that goes to (real location but appears in the Status Bar as simply By fooling a user into believing that he or she is visiting a trusted site, an attacker could trick him or her into revealing sensitive information such as credit card details.

The flaw was originally detected in Microsoft Internet Explorer before also being spotted in Mozilla. The IE variant is more serious, however, as it affects not only the URL displayed in the Status Bar but also the URL shown Address Bar after following a spoofed link. At the time of writing, Microsoft has acknowledged the problem but not yet issued a patch.

Full technical details of the fix are in bug 228176. The Secunia Internet Explorer Address Bar Spoofing Test page allows browser users to check whether their software is vulnerable.

Update: The patch has now also been checked in to the 1.4 branch and will be included in the forthcoming Mozilla 1.4.2.

#11 Re: Any idiot can do that

by jgraham

Thursday January 8th, 2004 2:53 AM

You are replying to this message

4 or 5 people? In the browser maybe. In HTML mail, *everyone* has javascript disabled. A scam exploiting this behaviour is *far* more likely to start life as a email saying "Log into your ebay account or have it deleted: <>&amp;keepaccount%00; " than it is to begin on some random webpage. You might also be interested to know that Mozilla has an option that prevents javascript from changing text in the status bar, precisely to prevent this type of javascript based spoofing.

As for the other person who said that the username should not be displayed in the status bar, there are lots of bugs open with better solutions to this problem. Personally, I favour something like:

site : username: password:

appearing in the status bar, since that makes it very obvious what is going on, and even helps prevent javascript spoofing (different text would be needed for Mozilla and IE in order to spoof the status bar effectivley. People running a scam would probably go for the 95% of people running IE rather than bothering to write complex browser detection scripts).