Firefox spoof demonstration

Printable View

July 30th, 2004, 09:50 PM
SDK

Firefox spoot demonstration

Link : http://www.nd.edu/~jsmith30/xul/test/spoof.html
July 31st, 2004, 09:31 AM
slarty

Is there anything that stops this from being done in IE?

Probably not.

The browser lets the page render pretty much anything. Ok, so in IE it would be harder because there is no XUL, you could still fake it with lots of images and Javascript.

Slarty
July 31st, 2004, 09:37 AM
pooh sun tzu

A huge give away to keep an eye out for is if it stops displaying the URLs as you hover over them in the status bar on the bottom. That, and if you are using windows it seems to still display the images for the window resize used in Gnome/KDE (bottom right)

Nice hack though.
July 31st, 2004, 11:02 AM
thehorse13

While this and other spoofs of the like are reasonably easy for IT people to spot, what makes them particularly disturbing is the tremedous amount of success they have against your typical end user. Whenever I see something like this, I typically look at it from the perspective of how likely my end users will be fooled.

Thanks for the link.
July 31st, 2004, 01:20 PM
pooh sun tzu

how to prevent this

The primary problem is that Javascript allows windows without controls to be displayed. So, let's defeat that (hail firefox configuration ability!):

1. Put

Quote:

about:config

in the address bar. note, remove the space that AO puts between about and : !!!

2. And then in the second address bar (the search filter)put:

Quote:

dom.disable_window_

A list of items should show up.

Then change all those entries to the following values (or look up how to make a user.js file on Google):

Quote:

dont change this one!!
dom.disable_window_flip = false
change the rest below here
dom.disable_window_move_resize = true
dom.disable_window_open_feature.close = true
dom.disable_window_open_feature.directories = true
dom.disable_window_open_feature.location = true
dom.disable_window_open_feature.menubar = true
dom.disable_window_open_feature.minimizable = true
dom.disable_window_open_feature.personalbar = true
dom.disable_window_open_feature.resizable = true
dom.disable_window_open_feature.scrollbars = true
dom.disable_window_open_feature.status = true
dom.disable_window_open_feature.titlebar = true
dom.disable_window_open_feature.toolbar = true
dom.disable_window_status_change = true

Sure, the graphics are still there, but now you have TWO sets of toolbars (since we removed JS's ability to remove toolbars) and can easily smell something fishy.