Firefox suffers from a design flaw that can be used to confuse casual
users and evoke a false sense of authority when visiting a fraudulent
website. The flaw can be also used to bypass a fix for an old UI spoofing
bug that was thought to be addressed. This is a relatively minor issue,
but I thought it's worth reporting.
It is possible for a script to open 'about:blank' URL in a new tab; this
tab will be opened with a blank address bar (the behavior is different for
new windows, where the bar will be grayed out or hidden).
The script can then interact with this document as if it were a page in
the same domain, including the ability to inject of custom HTML. Some
methods of adding this HTML, such as win.document.write(), will update
document.location and the address bar to that of the interacting script,
which seems like an intuitive choice - the user is informed about the
origin of the displayed data.
Since about:blank is a minimal but valid HTML document with a DOM
structure, it is also possible to inject code through the use of
win.document.body.appendChild() and friends, in which case, the URL bar
remains blank, the 'reload' button is disabled, and 'page info' / 'page
source' menu options will show no useful data.
Having text displayed in a window that has an empty URL bar can confuse
the user as to the origin of the displayed data or security prompts, as if
they were internal browser messages; an empty address bar is considerably
less suspicious than a shady host name or a panic-inducing data: URL
scheme.
Furthermore, there was an old UI spoofing bug - when a window was opened
without URL bar and menus, the attacker could use strategically placed
graphics and HTML controls (or XUL code), so that the fake URL bar read
"google.com", while an IFRAME below could display "zombo.com" instead.
Similarly, he could spoof a native browser-originating modal warning or
dialog to have the user do something dumb. This problem was addressed by
forcibly prepending current site name to window title for all URL-bar-less
windows, so that the Internet origin of such a pop-up is clear, and so
that it will have a hard time mimicking a native window.
The problem is that 'about:blank' windows that have no document.location
defined can be used to inhibit this behavior - window title can be freely
controlled, except for the appended ' - Mozilla Firefox' string, and spoof
browser UI elements without the user having a reason to be suspicious.
A quick if naive demonstration of the two attacks described here can be
found at this URL:
http://lcamtuf.coredump.cx/ffblank/
[ Note that I simply used a screenshot of my UI, which is a non-standard
one, and the image is not compensated for other screen resolutions etc;
as such, you should be able to see that the URL bar is unusual and
non-interactive; that's not a limitation of this attack, but rather,
an unloved bastard child of my sheer laziness. ]
<rant>
PS. On an unrelated note - in 2004, people began to notice that these
nifty yellow security notification bars that appear on the top of
MSIE7 and FF windows can be trivially spoofed by a webpage ("A plugin
is required to display this content." / "An update to Firefox is
available"), proving that placing messages in a script-accessible
region of the window was a terrible, terrible design decision. These
problems were not fixed, but rather dismissed as a user responsibility
(to do what exactly, learn all legitimate notices and tell them from
fakes?). What the hell?
</rant>
Cheers,
/mz
http://lcamtuf.coredump.cx
Update :
-----------------------------------
On Sat, 17 Feb 2007 zonafirefox (at) gmail (dot) com [email concealed] wrote:
> I tested it in IE7 and has the same problem. Opera 9.10 blocks the
> opening of the new window but fails in the second button.
With MSIE7, it is possible only if you check 'Allow websites to open
windows without address or status bar' for that particular zone;
otherwise, all windows will have a minimal URL bar attached.
I'm not sure whether this setting is default - if it is, yeah, that'd be
bad for MSIE.
As far as Opera is concerned - by default, Javascript can't hide address
bars, and if you change this option, the originating URL is still
displayed.
/mz
---------------------------