Forgot your password?
typodupeerror
Crime Firefox Opera Security Your Rights Online

Firefox, Opera Allow Phishing By Data URI Claims New Paper 151

Posted by Unknown Lamer
from the but-it-said-it-was-a-cat-picture dept.
hypnosec writes "A student at the University of Oslo, Norway has claimed that Phishing attacks can be carried out through the use of URI and users of Firefox and Opera are vulnerable to such attacks. Malicious web pages can be stored into data URIs (Uniform Resource Identifiers) whereby an entire webpage's code can be stuffed into a string, which if clicked on will instruct the browser to unpack the payload and present it to the user in form of a page. This is where the whole thing gets a bit dangerous. In his paper, Phishing by data URI [PDF], Henning Klevjer has claimed that through his method he was able to successfully load the pages on Firefox and Opera. The method however failed on Google Chrome and Internet Explorer."
This discussion has been archived. No new comments can be posted.

Firefox, Opera Allow Phishing By Data URI Claims New Paper

Comments Filter:
  • In other words... (Score:1, Insightful)

    by c0lo (1497653) on Tuesday September 04, 2012 @02:29AM (#41220205)
    In other words, IE and Chrome do not implement the data URI [ietf.org] to the specification.
    Lucky them, they can pose now as "more secure".
  • by dgharmon (2564621) on Tuesday September 04, 2012 @02:30AM (#41220213) Homepage
    How do these malicious URIs get access to the underlying Operating System?
    • by Tom (822) on Tuesday September 04, 2012 @02:55AM (#41220299) Homepage Journal

      They don't. It's a phishing attack, its intent is to get you to enter your password to some interesting site on a fake of that site. Afterwards, they'd redirect you to the real one or show a bogus error message, and then loot your account there.

      One attack vector against phishing attacks has been to take the site down where the fake is hosted. If the bad guys don't have to host the fake anymore because it is entirely self-contained in the phishing mail you send out through their botnet, then there is one less thing we can do against phishing.

    • by Jonner (189691) on Tuesday September 04, 2012 @03:59PM (#41227513)

      How do these malicious URIs get access to the underlying Operating System?

      If you'd read TFA, you'd know this is potentially useful as part of a phishing attack to fool users supplying private data such as login credentials to an attacker. It is not a vulnerability in any browser.

  • by Sqr(twg) (2126054) on Tuesday September 04, 2012 @02:47AM (#41220269)

    Testing if I can embed

  • by Chrisq (894406) on Tuesday September 04, 2012 @02:49AM (#41220275)
    Can anyone explain to me why this is worse than serving up the same "malware" on a web page instead of a data URL? The screenshot in the paper clearly shows the url starting "data:text/hml;" instead of http://en.wikipedia.org/ [wikipedia.org] so surely it is just doing the same thing as if I hosted a mock wikipedia login on "mysite.com" - and is a lot less likely to fool people than if I used a domain like wikipediaLogin.com
  • by Ash Vince (602485) * on Tuesday September 04, 2012 @02:49AM (#41220279) Journal

    This might technically be a phishing exploit but you would have to be pretty stupid to fall for it still as the address bar at the top of the page would not be your banks a web address.

  • by Hentes (2461350) on Tuesday September 04, 2012 @02:50AM (#41220281)

    So I click on a link and a page loads, as expected. What happens then? How does that page compromise my browser?

    • by bloodhawk (813939) on Tuesday September 04, 2012 @03:25AM (#41220437)
      It doesn't compromise your browser, it simply allows unsuspecting users to be tricked. hence why it is a phishing vulnerability e.g. a link supposedly to your bank login page, the page looks identical to your bank login page but sends the details to the link authors server where they can harvest your credentials to later empty your bank account while all the time appearing that you clicked on a valid link if you were not paying attention.
  • by ixuzus (2418046) on Tuesday September 04, 2012 @04:15AM (#41220677)
    I actually went and read the paper that this is supposedly all based on. (I know, it's not the done thing and I apologise) I don't know if it has changed since the other article was written but I couldn't find any reference to Opera or Firefox.

    It does mention that Chrome will throw an error but if you hit enter or reload it will work. There is a one sentence reference to the fact that IE has "a limit to URIs". I presume that means a length limit and if so IE is not invulnerable - only the initial payload has to be smaller.

    While there is much hand wringing about the fact that it cannot be shut down because there is not central server it is hosted on I don't see it as an issue. For phishing to be effective the stolen data has to actually GO somewhere which probably provides a target that can be shut down. It doesn't matter how long the URI circulates after the target is shut down - all that stolen data is probably going to the great byte bucket in the sky.

    I think the more interesting point that the paper made is that phishing sites can effectively be hosted on link shortening services using this method.
  • by holle2 (85109) on Tuesday September 04, 2012 @05:29AM (#41220987)

    ... in an alert box of it's own:

    javascript: and data: URIs typed or pasted in the address bar are disabled to prevent social engineering attacks.
    Developers can enable them for testing purposes by toggling the "noscript.allowURLBarJS" preference.

    Browsing the Web w/o NoScript is dangerous to the core anyway.

    Just my 2cents

    - Holger

  • by DontLickJesus (1141027) on Tuesday September 04, 2012 @11:56AM (#41224423) Homepage Journal
    The appropriate url is displayed, data URIs serve a purpose. OP, this is ridiculous. Quit giving this guy a voice.
  • To clarify (Score:4, Interesting)

    by hennikl (2719785) on Tuesday September 04, 2012 @06:01PM (#41228959)
    As the author of the cited paper, I feel that I have to clarify a few issues here: As well as Opera and Firefox, GOOGLE CHROME ALSO "suffers" from the ability to host data URIs. It just distrusts being redirected to one. IE (it is said) has a size limit to data URIs of 32 KB. However, in my tests, a ~26 KB URI was tried, unsuccessfully. The data URI phishing pages can be made in many ways, differing in how they use other data. One can make a true offline (or local) version of a web page if all linked content on the page is contained in the "root page" through yet another data URI. If the data URI web pages are presented on a computer running a related trojan program, this program may handle the communication of the "secret information" (credit card #, passwords, etc.). This can be done P2P (as in botnets) thus no need for server infrastructure. Another issue I'm discussing in my paper (http://klevjers.com/papers/phishing.pdf) is that of ownership to the data URI contents. I feel TinyURL unwittingly takes ownership of whatever content that is hosted there, as they store the entire (phishing) web page on their servers.

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...