Author Topic: Anti phishing tool in Firefox easily circumvented - unpatched hole!  (Read 2629 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Hi malware fighters,

Firefox 2.0 has a built-in phishingfilter to protect users against bogussites. Visited sites are being compared with a list of known phishing sites, but it also has a feature that checks all pages opened against an online database, in that way users are warned against a new  phish.

But for phishers it is dead easy to circumvent this filter. http://www.mozilla.com/firefox/its-a-trap.html makes the Mozilla browser alert. But if some slashes are added to the URL at hand, the filter fails miserably, like you can experience from this URL: http://www.mozilla.com/firefox////its-a-trap.html. This "ungepatched hole" can be found in  Firefox 2.0.0.1, 2.0.0.2 en 2.0.0.3. You can protect yourself by installing the Netcraft anti-phising toolbar extension for Firefox or Flock.

polonus
« Last Edit: March 30, 2007, 11:40:57 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: Anti phishing tool in Firefox easily circumvented - unpatched hole!
« Reply #1 on: March 30, 2007, 11:12:53 PM »
wow..rly interesting..a firefox security hole..i hope they fix it soon..
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89339
  • No support PMs thanks
Re: Anti phishing tool in Firefox easily circumvented - unpatched hole!
« Reply #2 on: March 30, 2007, 11:26:01 PM »
I have to admit I have never been happy with the anti-phishing within firefox, with dial-up it is a right royal pain in the rear and mine has been disabled from day one of its existence.

I also prefer to take my own precautions on anti-phishing, using either DrWeb, manual check at McAfee's site advisor, whilst neither of these are perfect for anti-phishing. But add to that NoScript and DropMyRights, allied with a healthy dose of common sense and not clicking links in unsolicited emails or links in suspect or untrusted web sites, I don't feel vulnerable.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Anti phishing tool in Firefox easily circumvented - unpatched hole!
« Reply #3 on: March 31, 2007, 12:53:16 AM »
Hi DavidR,

That is why it is beyond me, that they did not bring in something like the Netcraft Anti Phishing Toolbar. It is one of the very few toolbars I will allow inside the FF or Flock browser, and moreover it is a good "British" tool by all standards. And then again, it has not failed me until now one single time.
Why do the developers of these Mozilla type browsers not incorparate NoScript, Stealther or the Netcraft Toolbar, I cannot grasp to understand really? Flock now has  come up with "Stumble upon" as by default, but I think that is inside this browser on complete other grounds, and it can always be explained away as an extension of the Web 2.0 character of this type of browser.
Browser security by default, that is the thing we need. But then the general user cries out, that he thinks that's  a nuisance, like now with the settings of IE7, where the inexperienced user starts to allow insecure active-X options, because they are uninstalled by default, and he or she is so accustomed to unsafe settings by default. So whenever you deliver a bit of security, they again experience this as a drag. "It seems you can never please the general masses, and that we have known for a long time, isn't it?"

polonus

« Last Edit: March 31, 2007, 12:55:02 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!