Monday blues: Firefox phishing flaw; Microsoft's anti-phishing patent

Just days after unpatched cookie manipulation and data hijack bugs are flagged in the open-source browser, a security researcher is warning that Firefox suffers from a design flaw that puts casual surfers at risk of phishing attacks.

Here are three demos of the vulnerability, which was publicly disclosed by Polish hacker Michal Zalewski. The weakness is confirmed in Firefox 2.0.0.1.

In the tests, Zalewski shows how it is possible for a script to open an 'about:blank' URL in a new tab with a blank address bar. The script can then interact with this document as if it were a page in the same domain, including the ability to inject custom HTML.

"Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme," Zalewski explained in a note posted to BugTraq.

The attack scenario only works when new windows are opened to tabs.

Mozilla's security response folks are already discussing possible fixes.

* * * * * 

Meanwhile, Microsoft has filed a patent application for technology to handle the detection, prevention and notification of browser-based phishing attacks.

Redmond's filing (see document here) explains the invention:

In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.

 Techdirt is not impressed:

If they truly came up with an innovative way to stop phishing attacks, that would be interesting. Instead, it appears that the patent is for looking at the URLs found in an email or visited by a website, comparing them to a known list of phishing sites -- and then alerting you that the link might be fraudulent. In other words, it's the most obvious anti-phishing system around (and one that's proven to not be all that effective). If someone were to describe to you the problem of phishing, and ask you how to stop it, this would be nearly everyone's first attempt. It's hard to see how something so obvious deserves patent protection -- but the way our system works these days, the whole "non-obvious" requirement has been pretty much tossed out.

NOTE: This is simply an application for a patent that has not (yet?) been granted.