How to bypass Mozilla Firefox 2.0 Phishing-Filter
3 Comments Published October 24th, 2006 in securityI’m using Mozilla Firefox now for a long time and so I’m happy to have version 2.0 since today.
But of course in my profession and hobby as a security guy, the first thing I did was to test the new security features. One of these is the Phishing-Filter and here’s my workaround 
Option 1:
The easiest way for bypassing the filter is to change the URL. Of course if you’re a phisher this won’t be the way you like because it’s impossible to fake the URL like your-bank.abcdefghijklmnopqrstuvwxyz.bad-site.com But it’s interesting to know about this possibility 
First we take a real online phishing webiste, which we can find at phishtank.com
The next step would be to transform our phishing URL to another. Normally we can do that over the service of tinyurl.com but they filter out phishing sites so it’s not the service of phishers choise. So we need another similar service and hey there is for example atomurl.com This service don’t block our transformation. The only thing we have to do now is to transform the URL of our phishing site to a short one from atomurl.com So it’s finished, the phishing filter won’t block someone who go to this site.
Option 2:
As we’ve seen there’s a very simple way for bypassing the Phishing-Filter of the new Firefox but it’s not very good if you as a phisher would like to “fake” the URL of your site. So here’s the way I found to bypass the filer in a proof-of-concept form.
First we need somwere a possibility for generate an Iframe, which’s source is our phishing site which would normally generate an alert of the Phishing-Filter in Firefox. Now we have to put some Javascript in the header of our phishing example.
<script language="JavaScript">
var sThisURL = window.location.href;
function doFramesBuster()
{
if ( top.location != self.location )
{
top.location.replace( sThisURL );
}
}
</script>
So, that’s it. If you now load your site which includes the Iframe, it will reload itself and voilĂ there’s not longer any alert because of phishing but it’s your phishing site include the original URL
Attention:
It seems like there was an anomaly in my Firefox. Option 2. will not work in the way I described. It’s interesting anyway that the message which says that it’s a phishing site poping up about one second later as it does if you directly navigate to the same site. Sorry for false alarm 
Sven,
Nevermind about the false-positive. You are looking in an interesting area.
This is definately an area I will be looking into fairly soon. I have particular interest in status bar spoofing techniques. I want to implement these into jsscanner.
Help me please…
I just installed Firefox 2.0, and all of a sudden, my username/password isn't being inserted in the signon window (it always was before). I tried the usual suspects–I did not mistakenly tell FF not to remember the password for this site; and I also tried the remember password bookmarklet, but all to no avail–FF will not ask me to remember this password. What do I need to do to get around this?
Hi Nikolas,
if you set the password remember functionality to on in the password section at Edit -> Preferences -> Security I don’t know why it won’t work. Have you tried different sites for check if it could be that it’s only a problem for one site?
From a security point of view I have to say that you shouldn’t use this functionality anyway because it’s very easy to get your passwords for example trough XSS (didn’t try it in FF 2.0 but should be also no problem).