Cenzic 232 Patent
Paid Advertising
web application security lab

Firefox 2.0 Anti-Phishing Filter Vulnerable To Evasion

Jungsonn has only been a member of the forums for one day and he hits big with IP encoding that evades Firefox’s anti-phishing filter. This isn’t the first time I’ve seen this sort of thing, but it’s the first time I’ve seen it in a commercial browser. What Firefox is doing is doing a direct compare against the URL. Using the IP obfuscation calculator you can create IP addresses that don’t match what is in the anti-phishing list. But it’s worse than Jungsonn reported even.

That’s right, go to any phishing site and add in a QUERY_STRING to the end of the URL and poof, no more popup. What a bummer. I was really hoping they would do something a little smarter with this. Unfortunately with this knowledge it is extremely easy to defeat the anti-phishing detection built into Firefox’s newest browser.

The QUERY_STRING issue is a tough one to solve, because where do you know to compare against? The IP address issue that Jungsonn came up with really bothers me. Why would you use the URI field to do comparisons instead of the IP address that it is normalized to? Is it an oversight? Oh well, I hope they fix this soon.

12 Responses to “Firefox 2.0 Anti-Phishing Filter Vulnerable To Evasion”

  1. kuza55 Says:

    Well, I can’t say I know what the Firefox devs were thinking, but it is possible that they didn’t want to discriminate against shared hosting providers whoc may have several websites on one IP address, or have your web servers behind a NAT firewall, and so all the webservers have the same address, and are only differentiated by Host headers.

    And as we’ve seen phishers much prefer using domains which look like the actual domain to entice people to click on their links, if phishers can’t use similar domains because they get caught and decide to use IP addresses, users would be considerably more suspicious.

    The only solution I could think of would be to implement some signatures which are used if the site resolves to the same IP as the URL to check if its a phishing page, but I think that the devs probably decided that it would take up too much space and time and that the larger danger in phishing was the similar domain names.

  2. MERLiiN Says:

    Scary find, Good work, Kudos all around!

    I think the reson for matching against the URI field rather than the IP stems from shared hosting ans server farm scenarios where blocking access based on an IP can block legit sites in a shared hosting environment or fail to block a reported site in a server farm or load balanced envorinment. I still think that the filtering should have been done on the URL itself rather than the entire URI string as the QUERY_STRING presence “should” not alter the file location. That still leaves cgi proxies and other url bypass techniques active, but it is a much better situation than the protection currently offered.

    MERLiiN

  3. Nicolás Says:

    I itested it on IE7 and it happens the same. This is not only for Firefox, IE7 is vulnerable too. Btw, have u reported the bug to Bugzilla? Very interesting article, thanks :)

  4. Carlos Says:

    That is bad, but maybe will ease phishing detection in mail clients. If an URL contains a hex-coded address, it should mark it as fraud email (as in Thunderbird).

  5. Carlos García Argos v2.0 Says:

    Vulnerabilidad en la alerta anti-phishing de Firefox 2.0…

    Technorati Tags: bug, vulnerabilidad, Firefox 2.0, phishing
    Informan en Kriptópolis que el sistema antiphishing de Firefox 2.0 no funciona todo lo bien que debería. Si una dirección IP que esté en la lista negra que maneja Google se codifica de …

  6. aTaAB Says:

    Or, consider that FireFox was forced to implement the Google anti-phishing filter plug-in Beta code and decided not to take it to the next level. Send this one back to Google labs - looks like graduation was a bit premature - more beta please.

  7. Benson Says:

    A phising site targeting financial banks in Taiwan.
    http://linway.us/

  8. Martin Aberastegue » Virus Informáticos… ¡En Vivo! Says:

    […] En ha.ckers.org publicaron un articulo sobre este mismo tema, en si todo se centra en las infinitas representaciones que puede llegar a tener una URL, estamos hablando de URLs canónicas, resumiendo las infinitas formas de representarlas, utilizando herramientas como esta uno puede saltear los filtros basados en listas que están utilizando estos navegadores, y tomando como base lo dicho por Cristian en su seminario, cualquier spammer podría crear una macro con un listado enorme de URLs ofuscadas, y así alargar su estadía maliciosa en la red y evitar la pronta baja a la que suelen estar acostumbrados estos sitios. […]

  9. zean.no-ip.info » Nueva chapuza en Firefox 2.0: su mecanismo anti-phishing Says:

    […] Una nota en Ha.ckers.org me puso hoy sobre aviso. “No puede ser, no puede ser”, me dije. Pero me puse a comprobar todo punto por punto y los hechos son los que son, y demuestran -a mi modo de ver- que el actual mecanismo antiphishing de Firefox 2.0 no sirve para nada, puesto que cualquier sitio malicioso puede saltárselo sin más que codificar en hexadecimal la dirección del sitio. […]

  10. Jungsonn Says:

    @aTaAB who Said:

    Quote:
    Or, consider that FireFox was forced to implement the Google anti-phishing filter plug-in Beta code and decided not to take it to the next level. Send this one back to Google labs - looks like graduation was a bit premature - more beta please.
    /Unquote

    Hm, yes.

    Blacklisting is a bold thing, and rarely has any practical use. It stops the novice, but die hards remain and just switching to other/better alternatives, if anyone ever tryed to protect spammers on a blog/site by blocking there ip, they should know this worked a couple of days.

    I think that the idea of te FireFox team about implementing such a thing comes from a purely renegade idea, The battle between MSIE & FF is going to be won by the party who just takes time to build a good browser, FF has come a long way, and it seems with all the new toys in it, they do not take the time anymore to really test it and only focus on the battle instead of it’s users, if they have tested it properly: shame on them, i mean there are many holes in FF the last time, in comparison with MSIE and Opera, thought that Opera had 2 holes lastyear, and FF about 21 holes orso. Ah well.

  11. ha.ckers.org web application security lab - Archive » The Web Application Security Good - oh yah, and Bad and the Ugly Says:

    […] 1) Internet Explorer 7.0 and Firefox 2.0 finally got anti-phishing installed on their browsers by default. This was a huge win for consumers because it finally gave them an out of the box tool. No more would they have to know enough to download some tool to protect themselves. Only problem is it doesn’t work very well. We’ve found many ways around each of these tools. But at least they’re trying! And with upwards of 90% of the market share collectively between the two browsers, that’s a big dent - even with the holes. […]

  12. ha.ckers.org web application security lab - Archive » Back From RSACon Says:

    […] Veditz shows up from Mozilla to talk to me. Oooh… yah, sorry about […]