Firefox: about:blank is phisher's best friend

Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Firefox suffers from a design flaw that can be used to confuse casual users and evoke a false sense of authority when visiting a fraudulent website. The flaw can be also used to bypass a fix for an old UI spoofing bug that was thought to be addressed. This is a relatively minor issue, but I thought it's worth reporting. It is possible for a script to open 'about:blank' URL in a new tab; this tab will be opened with a blank address bar (the behavior is different for new windows, where the bar will be grayed out or hidden). The script can then interact with this document as if it were a page in the same domain, including the ability to inject of custom HTML. Some methods of adding this HTML, such as win.document.write(), will update document.location and the address bar to that of the interacting script, which seems like an intuitive choice - the user is informed about the origin of the displayed data. Since about:blank is a minimal but valid HTML document with a DOM structure, it is also possible to inject code through the use of win.document.body.appendChild() and friends, in which case, the URL bar remains blank, the 'reload' button is disabled, and 'page info' / 'page source' menu options will show no useful data. Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme. Furthermore, there was an old UI spoofing bug - when a window was opened without URL bar and menus, the attacker could use strategically placed graphics and HTML controls (or XUL code), so that the fake URL bar read "", while an IFRAME below could display "" instead. Similarly, he could spoof a native browser-originating modal warning or dialog to have the user do something dumb. This problem was addressed by forcibly prepending current site name to window title for all URL-bar-less windows, so that the Internet origin of such a pop-up is clear, and so that it will have a hard time mimicking a native window. The problem is that 'about:blank' windows that have no document.location defined can be used to inhibit this behavior - window title can be freely controlled, except for the appended ' - Mozilla Firefox' string, and spoof browser UI elements without the user having a reason to be suspicious. A quick if naive demonstration of the two attacks described here can be found at this URL: [ Note that I simply used a screenshot of my UI, which is a non-standard one, and the image is not compensated for other screen resolutions etc; as such, you should be able to see that the URL bar is unusual and non-interactive; that's not a limitation of this attack, but rather, an unloved bastard child of my sheer laziness. ] <rant> PS. On an unrelated note - in 2004, people began to notice that these nifty yellow security notification bars that appear on the top of MSIE7 and FF windows can be trivially spoofed by a webpage ("A plugin is required to display this content." / "An update to Firefox is available"), proving that placing messages in a script-accessible region of the window was a terrible, terrible design decision. These problems were not fixed, but rather dismissed as a user responsibility (to do what exactly, learn all legitimate notices and tell them from fakes?). What the hell? </rant> Cheers, /mz Update : ----------------------------------- On Sat, 17 Feb 2007 zonafirefox (at) gmail (dot) com [email concealed] wrote: > I tested it in IE7 and has the same problem. Opera 9.10 blocks the > opening of the new window but fails in the second button. With MSIE7, it is possible only if you check 'Allow websites to open windows without address or status bar' for that particular zone; otherwise, all windows will have a minimal URL bar attached. I'm not sure whether this setting is default - if it is, yeah, that'd be bad for MSIE. As far as Opera is concerned - by default, Javascript can't hide address bars, and if you change this option, the originating URL is still displayed. /mz ---------------------------

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top