February 15th, 2005, 04:02 PM
Firefox, Others at Phishing Risk
Well, while I was collecting some information about the newest Phishing techniques. I found this article which really astonshed me... A group announced that they have detected new flaw in Firefox and others that leaves users open to a spoofing or phishing attack. And what is really wierd that IE is no affected...
I do like Firefox, and it is just disappointing to hear that?
A non-profit security think tank called the Shmoo Group has announced the discovery of a flaw in Firefox and other recent browsers, including Mozilla, Safari, Opera and Camino, that leaves users open to a spoofing or phishing attack. Microsoft Internet Explorer is not affected.
The Shmoo Group posted notice of the exploit on its site under the title, "0wn any domain, no defense exists."
"Want to own ANY domain? Want a trusted SSL cert for it? We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers," states the group's Web site.
Calling the flaw "IDN Spoofing Security Issue", security firm Secunia has labeled it moderately critical and suggests users don't follow links from un-trusted sources and manually type a URL in the address bar.
Eric Johanson of the Shmoo Group has reported and demonstrated in a proof of concept a "homograph attack" that allows a malicious Web site to spoof the actual URL that is displayed in the address bar, status bar or even an SSL certificate.
The flaw is the result of an "unintended result" of how the International Domain Name (IDN) system is implemented in the browsers. One way the flaw can be exploited is for a malicious user to register a domain name with an international character that looks like a Latin alphabet character. The address appears to be the correct address, though it is using an international character.
The concept of "Homograph attacks" is not a new one. Johanson himself cites a December 2001 research paper that describes how such an attack could occur, though he notes at that time no browser had implemented Unicode/UTF8 domain name resolution. Almost every recent browser (Firefox, Mozilla, Safari, Opera) except for Microsoft's Internet Explorer currently implements IDN and Unicode/UTF8 domain name resolution.
According to the Shmoo Group, Mozilla developers have provided a workaround for the problem, though it's unclear how successful the workaround is at this point.
Here is another article
Sunday, February 6, 2005
Shmoo Group exploit: 0wn any domain, no defense exists
Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon." Link (Thanks, Pablos!)
Update: Chris Smith sez,
1) Goto your Firefox address bar. Enter about
:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Update 2: J Brad Hicks sez, "Contrary to the update you just posted, setting network.enableIDN to false did not fix the problem for me in FireFox 1.0, aka Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0. Not even after quitting the application and re-launching it."
Update 3: Glenn sez, "I had the same problem in the same browser until I used Tools/Options/Privacy to clear the browser's cache. After clearing the cache, the network.enableIDN setting *does* appear to prohibit the exploit."
Update 4: Salim sez, "It seems that Firefox 1.0 is vulnerable despite applying the network.enableIDN fix. It works initially, but when the browser is restarted, the idn feature kicks into life again."
Update 5:Scott sez, "I've done a simple hack to Firefox to make it stick. My how-to is here."
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
February 15th, 2005, 04:40 PM
Popularity = Vulnerability.
Doesn't matter if your a piece of software, a celebrity or a kid in high school, once you become popular people will always be looking for flaws.
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
February 15th, 2005, 05:01 PM
Hmmm...these articles are over a week old, and I thought we had a thread somewhere already.
Where's SDK when you need him?
/* Edit */
Found it! http://www.antionline.com/showthread...hreadid=265856
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 24th, 2005, 07:00 AM
yup thats what happened with M$
Popularity = Vulnerability.
i hope the venurability is limited to phising and scams and does not extend to become a high level security threat !