mailing list archives
Re: New possible scam method : forged websites using XUL (Firefox)
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Mon, 2 Aug 2004 11:59:17 +0200
On 2004-07-31 12:15:46 +0100, Marc wrote:
The latest version of Firefox is 0.9.2.
The developers of Mozilla are currently looking into various
methods to make a fake user interface more obvious. The most
likely solution will be to force the status bar to always be
visible, as Microsoft will do with IE6 SP2.
This appears to be the case with 0.9.2.
The spoofed PayPal site (from
http://www.nd.edu/~jsmith30/xul/test/spoof.html) cannot hide FireFox's
status bar - so you get 2 status bars displayed.
On my system (Linux with fvwm2 window manager) the window has just the
right size to show the fake status bar but hide the real status bar. The
missing bottom window border is the only indication that there may be
something wrong (and that's not a big indication, since windows that
don't fit entirely on the screen aren't that uncommon).
A quote from <URL:http://bugzilla.mozilla.org/show_bug.cgi?id=22183#c77>:
| Anyway, we already put a dark inset border around untrusted chrome, we
| user to disable the disabling of the status bar, and so forth. Without
| making ourselves the laughing stock of the Web browser implementer
| community, there is little more we can do.
It looks like firefox doesn't "put a dark inset border around untrusted
chrome". Is there a similar exploit for Mozilla 1.7, to see whetehr that
border would be noticable (the URLs in the bug don't work).
Anyway, there are a few more things that Mozilla (suite or firefox)
* allow user to disable hiding of chrome (like disabling popups, etc.)
(few people know that mozilla can do that, and even for those, editing
user.js is tedious).
_ | Peter J. Holzer | Shooting the users in the foot is bad.
|_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't.
| | | hjp () wsr ac at | -- Gordon Schumacher,
__/ | http://www.hjp.at/ | mozilla bug #84128