Forgot your password?
typodupeerror
Crime Firefox Opera Security Your Rights Online

Firefox, Opera Allow Phishing By Data URI Claims New Paper 151

Posted by Unknown Lamer
from the but-it-said-it-was-a-cat-picture dept.
hypnosec writes "A student at the University of Oslo, Norway has claimed that Phishing attacks can be carried out through the use of URI and users of Firefox and Opera are vulnerable to such attacks. Malicious web pages can be stored into data URIs (Uniform Resource Identifiers) whereby an entire webpage's code can be stuffed into a string, which if clicked on will instruct the browser to unpack the payload and present it to the user in form of a page. This is where the whole thing gets a bit dangerous. In his paper, Phishing by data URI [PDF], Henning Klevjer has claimed that through his method he was able to successfully load the pages on Firefox and Opera. The method however failed on Google Chrome and Internet Explorer."
This discussion has been archived. No new comments can be posted.

Firefox, Opera Allow Phishing By Data URI Claims New Paper

Comments Filter:
  • In other words... (Score:1, Insightful)

    by c0lo (1497653) on Tuesday September 04, 2012 @03:29AM (#41220205)
    In other words, IE and Chrome do not implement the data URI [ietf.org] to the specification.
    Lucky them, they can pose now as "more secure".
  • Re:Chrome and IE (Score:5, Insightful)

    by macraig (621737) <mark.a.craig@gma[ ]com ['il.' in gap]> on Tuesday September 04, 2012 @03:43AM (#41220259)

    I've been reading the Wikipedia entry, and if I grasp it correctly there's a distinct negative repercussion to use of them: they could apparently be used to stuff HTML elements into one "get" and possibly defeat all sorts of HTTP proxy filters, ad blockers, and other sundry Web-page tweakers in the process. If that's true, I would not be in favor of their use or support at all. I use all sorts of tools and extensions to "take back the Web"; I don't want to lose the abilities those tools enable.

  • Re:Chrome and IE (Score:2, Insightful)

    by Tom (822) on Tuesday September 04, 2012 @03:57AM (#41220305) Homepage Journal

    Whatever may or may not be true in regards to IE security, this particular vulnerability does not work on IE because it has a length limit on data URIs, not because anyone thought of it and secured it against it. It's accidental. Chrome is the browser that has an actual security feature preventing this attack.

  • Re:Chrome and IE (Score:5, Insightful)

    by higuita (129722) on Tuesday September 04, 2012 @06:01AM (#41220893) Homepage

    sandboxing is just another layer of security, it isnt a silver bullet solution... in fact many times (like in chrome) is used as a excuse to not proper check things and do a more careless development (from the security point of view). all is well until someone finds a way to break out the sandbox (just look at the recent java security problems) and then you can use one of the many holes to hop jump the sandbox and reach the OS.
    Firefox mostly dont have sandbox, but have many other proper security checks that other lack, and its secure because of then. Of course sandbox is yet another layer that should exist and they are slowly sandboxing key areas. Its harder because they want to support various OS at the same level where chrome have a full sandbox in windows but a lot weaker one in linux (see https://code.google.com/p/chromium/wiki/LinuxSandboxing [google.com] and https://code.google.com/p/chromium/wiki/LinuxSUIDSandbox [google.com]... things might be better when seccomp [lwn.net] is enabled by default in chrome)

    So yes, sandbox is good, but should not be trusted as the main security barrier in one application, other checks are always needed.

  • by Tom (822) on Tuesday September 04, 2012 @06:59AM (#41221105) Homepage Journal

    If it would work, we would see a considerable decline in phishing activities and success, because we (i.e. the IT security industry) have been telling that line to users for about a decade now.

    All the statistics I have available show no such decline. The Verizon data breach report is publicly available and has been saying on and off for many years that phishing is still an issue, is getting bigger, is not decreasing as much as everyone had hoped, etc. etc.

    Fact: Phishing still works enough to be a big industry.
    Fact: We've been saying "don't click on e-mail links" to users for 10+ years.
    Fact: The IQ 100 median norm has slightly increased during that time.

    Conclusion: People are dumb is not a sufficient answer.

    Addendum: Humanity has used lots and lots and lots of stuff in its history that didn't work. Raindances, homeopathy, coins for the ferryman, need I go on?

  • To clarify (Score:1, Insightful)

    by Anonymous Coward on Tuesday September 04, 2012 @06:06PM (#41228347)

    As the author of the paper I feel the need to clarify a tiny point before I fall asleep. Google Chrome is vulnerable, it is only REDIRECTION TO A DATA URI that Chrome sees dangerous and denies. For more details, please contact me on Twitter (@hennikl) or by email (it's in the paper title). I'll try to watch this thread and give more exhaustive answers after some hours of beauty sleep. It seems a lot of the commenters do not grasp the idea completely ;) --Henning Klevjer

Federal grants are offered for... research into the recreation potential of interplanetary space travel for the culturally disadvantaged.

Working...