Critical FireFox vulnerability could allow phishing scams

Spinner

FireFox is coming under attack much like other browsers and the latest attack could open users up to phishing scams.

The flaw in Mozilla Firefox 1.0, details of which were published by security company Secunia on Tuesday, could allow hackers to spoof the URL in the download dialog box that pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Submitted by: Camman

Source: News.com

BlackHawk

http://forums.mozillazine.org/viewtopic.php?t=196756 ?

Camman

Black Hawk wrote:

http://forums.mozillazine.org/viewtopic.php?t=196756 ?

that site you linked wrote:

This may not be a "bug", because Firefox is doing its best with invalid HTML, but that doesn't change whether or not it's a security flaw. The issue is that it could be used by malicious sites to disguise the target of links, not that Firefox needs to clean up after lazy webmasters.

Weedo

I've been getting more and more popups in Firefox.

David

Gaah! Mod, please delete two previous posts.

A URL doesn't have to be long to be nicely spoofed. See http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html


The proffered workaround does not seem to help.

The only sure way to know will be to read the certificate. Yah right, who's gonna do that?