14 DAY TRIAL // Mozilla announced that it doesn't plan to fix an alleged bug disclosed recently regarding Firefox not triggering a warning when a particular obfuscation technique is used for URLs loaded in IFrames.
Two days ago a security researcher from Web security solutions vendor Armorize Technologies, named Aditya K Sood, revealed in a post on the company's blog what he called a "Mozilla Firefox Bug."
The issue described by Sood refers to the way Firefox handles certain obfuscated URLs in IFrames.
Whenever an URL of the form [email protected] is loaded in the address bar, the browser prompts a confirmation dialog, letting the user know that the website they are accessing is evil.com and not site.com.
This simple obfuscation technique was commonly used in social engineering attacks, like phishing, a few years ago, prompting Mozilla to introduce the warning.
The Armorize researcher points out that this behavior doesn't also apply when URLs are loaded inside IFrames and according to him "In certain cases, it can be used effectively in spreading malware and stealing sensitive information."
However, Mozilla and other security experts disagree. "We are aware of the discussion. There is currently no fix in plan since Mozilla does not believe this can be used to attack users," Johnathan Nightingale, director of Firefox development, announced on the Mozilla Security blog.
The argument is that users do not actually see the URLs loaded in IFrames, unless explicitly looking at the source code of the page. Therefore, there is no reason for an attacker to load the obfuscated [email protected] instead of loading evil.com directly.
"Aditya's complaint in the aforementioned bug is very simple, and boils down to the observation that Firefox employs this warning only for the top-level document - but does not apply this logic to subresources such as IFRAMEs. If you think about it for five seconds or so, it's painfully evident why: there is simply no need to do so.
"The URLs of these subresources are never displayed in the address bar, and therefore, there is no opportunity to confuse the user in any way. There is no reasonable attack scenario where this would matter," writes Michal Zalewski, a security engineer at Google, who takes issue with several media sites that reported this as a bug in Firefox.