Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass. Feb 06 2007 01:05PM
Kanedaaa Bohater (kaneda bohater net)

Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass
Opera 9.10 Fraud Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]
Opera 9.10 Final [ Linux build 521 | Windows build 8679 ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Impact:
Low

+ Firefox Phishing Protection Description:
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your
financial information and protect you from identity theft. When you encounter a Web site
that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to
take you to a search page so you can find the real Web site you were looking for.

+ Opera Fraud Protection Description:
Oslo, Norway - December 18, 2006 Opera Software today introduced real-time Fraud Protection
in its award-winning Web browser. Fraud Protection includes technology from GeoTrust, the
leading digital certificate provider, and PhishTank, a collaborative clearing house for
data and information about phishing on the Internet. Fraud Protection is available in Opera
9.1, the newest version of Opera's Web browser. Opera is available completely free at
www.opera.com.

+ Bypass Description
It is possible to bypass Fraud Protection by add some characters to URL address. URL will
be still valid and will work properly but we are not aware of Phishing warning.

At 2006.11 when version 9.10 was developed and Fraud Protection was tested I found that
when we add "." char at the end of domain in URL field - DNS systems still resolve this
address, Host: directive in HTTP GET will not break WWW server answer BUT for Fraud
Protection it will be another site than original and Fraud Test will fail. For example:
http://kaneda.bohater.net. != http://kaneda.bohater.net

After post to http://bugs.opera.com and on devel Opera forum, they made fix. [great!] In
Opera 9.10 this bug dosn't work of course.

But today when I`m running Final 9.10 version I have found that when I added "/" character
at the end of domain in URL it failed Phishing test again !!!

Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning
will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

FireFox is vulnerable in that same way.

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL:
http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near
future to abusive actions.

+ Opera Timeline:
2006.12.20 bug discovered
2006.12.21 "/" bug sended to http://bugs.opera.com
2007.01.19 no response and patch from vendor - probably will be fixed in future
2007.02.06 posted to Bugtraq

+ Firefox Timeline:
2007.01.09 bug discovered
2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538]
2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
2007.02.06 posted to Bugtraq

Original Advisory:
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phish
ing_protection.php
http://kaneda.bohater.net/security/20061220-opera_9.10_final_bypass_frau
d_protection.php

--
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda (at) bohater (dot) net [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus