Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Firefox: about:blank is phisher's best friend
From: Michael Wojcik (Michael.Wojcikmicrofocus.com)
Date: Mon Feb 19 2007 - 09:52:17 CST
> From: Michal Zalewski [mailto:lcamtufdione.ids.pl]
> Sent: Friday, 16 February, 2007 17:51
> To: bugtraqsecurityfocus.com
> Cc: full-disclosurelists.grok.org.uk
> Firefox suffers from a design flaw that can be used to confuse casual
> users and evoke a false sense of authority when visiting a fraudulent
> website. ...
> It is possible for a script to open 'about:blank' URL in a new tab;
> tab will be opened with a blank address bar (the behavior is different
> new windows, where the bar will be grayed out or hidden).
Nice work, as always. A couple of points:
from working, of course. Firefox's NoScript extension, which implements
a scripting whitelist in a highly usable fashion, works nicely for this
sort of thing. It will also prevent scripts from about:blank by
default, though that's of limited use here.
Unfortunately, it's unlikely that "casual users" will have NoScript
installed, though I'm happy to see that it's one of the most popular
- The third attack on your page ("Test it through about:blank proxy"),
which is designed to open a spoofed-UI window with a "normal" title bar,
produced a window with the title "about: - Google - Mozilla Firefox" on
your site). I don't know offhand why I got the "about: -" prefix;
Principal Software Systems Developer, Micro Focus
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/