Fwd: New possible scam method : forged websites using XUL (Firefox)

From: David Ahmad (da_at_securityfocus.com)
Date: 07/30/04

  • Next message: Nick FitzGerald: "Re: eSafe: Could this be exploited?" 
    Date: Fri, 30 Jul 2004 15:05:08 -0600
To: bugtraq@securityfocus.com

    ----- Forwarded message from Jeff Smith -----

    Mozilla Firefox allows remote sites to render XUL content that
    mimics the browser's user interface. Using Javascript, the real
    interface can be turned off and replaced with fake UI components.
    For spoofing the UI, the effectiveness of XUL is far greater than
    that of static images or even DHTML. The security implications of
    this trick were considered as early as 1999 in Mozilla Bug 22183
    (http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
    Mozilla Foundation has kept the Bug confidential until recently,
    when a researcher noted the problem and published a
    particularly-effective demonstration, spoofing a "PayPal" login
    site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html).

    The demonstration takes advantage of the fact that the browser is
    designed to seamlessly render web applications written in XUL. XUL
    is a XML-based language that creates a user interface. It can
    produce buttons, menus, dialog boxes, and many more UI elements.
    The most well-known application using XUL for its interface is the
    Firefox browser itself. For more information, see
    http://www.mozilla.org/projects/xul/.

    The entire interface to Firefox is contained in a ~70kb XUL file
    (chrome/browser.jar!content/browser/browser.xul). With
    surprisingly few modifications, this same file was turned into a
    malicious web application. The URL bar was modified to always
    display "https://www.paypal.com/" and the status bar was modified
    to include the "SSL Security" padlock icon. In addition,
    Javascript was added to make a spoofed "Security Info" dialog box
    pop up after double-clicking the padlock icon. The spoofed dialog
    box also derives from an XUL file in the Firefox UI, modified to
    contain ostensibly-legitimate information about the SSL
    "certificate" of the page.

    All said and done, the spoof successfully emulates a default
    installation of Firefox with frightening accuracy. However,
    because untrusted web applications have no access to user
    preferences, most browser customizations are not reflected in the
    spoof. This includes toolbar arrangement, the bookmarks menu, and
    some browser extensions. (The browser theme [UI skin] is an
    exception; it is spoofed.) In addition, to be effective, a user
    must click on a link on a malicious web page or (more likely) a
    forged email appearing to be from "PayPal".

    The developers of Mozilla are currently looking into various
    methods to make a fake user interface more obvious. The most
    likely solution will be to force the status bar to always be
    visible, as Microsoft will do with IE6 SP2.

    More information:
    http://bugzilla.mozilla.org/show_bug.cgi?id=22183
    This is the first mention of the problem that I am aware of. It was
    marked confidential for five years until 7-21-2004.

    http://bugzilla.mozilla.org/show_bug.cgi?id=252198
    This is the bug that was eventually filed on 7-19-2004.

    http://bugzilla.mozilla.org/show_bug.cgi?id=252811
    This is the proposed solution to the issue.

    http://www.nd.edu/~jsmith30/xul/test/spoof.html
    This is the demonstration of the spoof.

    The author of the "PayPal" demonstration can be contacted via
    email at jsmith30 at nd dot edu. 

    --
David Mirza Ahmad
Symantec 
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
  • Next message: Nick FitzGerald: "Re: eSafe: Could this be exploited?"
    • Quantcast