« End of ugly XSSing
Playing with Google Maps »

Firefox Phishing Protection bypass still works in 2.0.0.2

Comments Published March 15th, 2007 in security

On the 10th February 2007, when Firefox 2.0.0.1 was the most recent, I’ve already wrote a blog posting about how to bypass the phishing protection of Firefox. Now I checked this issue again in version 2.0.0.2 and hey it’s still there. If you would like to check, just use the following example:

Evil phishing site:
http://144.131.138.116/www.paypal.com/webscr_cmd=_login-run1847/

Normal site on the net, if we trust in Firefox:
http://144.131.138.116/www.paypal.com//webscr_cmd=_login-run1847/

For phishers, it’s very easy to abuse this issue by simply adding a random number of slashes somewhere, where already is one and until the Firefox developers fix this bug, it’s a phishers paradise out there.

3 Comments to “Firefox Phishing Protection bypass still works in 2.0.0.2”  

Feed for this Entry Trackback Address
  1. 1 liberation frequency Mar 16th, 2007 at 2:42 pm

    the bug is allready in the bugsystem from mozilla, we can only wait.
    https://bugzilla.mozilla.org/show_bug.cgi?id=367538

  2. 2 liberation frequency Mar 21st, 2007 at 11:03 am

    And the bug works with Firefox 2.0.0.3, too.

  3. 3 Disenchant Mar 21st, 2007 at 11:13 am

    Thanks for the information.
    At least now the bug’s assigned to Tony Chang (Google) and so I think it will be fixed in the next version (or at least in one of the next).

Leave a Reply