Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing Using FasterFox Prefetching

I actually had to read this email several times before I got it - paranoia taking over - I thought I was being told my site was hacked. No no, just another interesting way to abuse people that people find when visiting my site. This time, this email comes from Alex who found that pre-fetching can be used to phish users in certain circumstances.

When I’m visiting http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/

my Firefox showed up the HTTP-Auth dialog immediately, which I placed on my subdomain testing.bitsploit.de But why I asked myself.

I looked into your HTML source to find a hidden image or something like this, but I didn’t found anything but the link. I haven’t clicked on the link, so why does it pop up ? Than I figured out, that the FasterFox-Extension for Firefox prefetches that link and that’s why the HTTP-Auth dialog pops up.

So there’s another chance to trick FasterFox-users (in forums) without having to use HTML/BBcode for embedding images.

Alex is absolutely right. In fact, this is the exact reason I never used to use Opera (it turns out this is not the same kind of prefetching that Opera does, I only just learned). Sure you can turn it off, but pre-fetching has always been a dangerous thing to me. It can speed things up because it pre-fetches and caches the results, but if it pre-fetches and triggers something, like auto-deletion of your account, or automatically adds something to a shopping cart or anything else, you run into some pretty serious problems. Think CSRF. So yes, this apparently can also be used for phishing in FasterFox. But either way, it’s a very cool example of why pre-fetching can be nasty.

15 Responses to “Phishing Using FasterFox Prefetching”

  1. Ix Says:

    That’s a pretty scary find. Never trusted pre-fetching for much the same reason, really don’t like the idea of the browser just looking at everything it can find even when I’m never gonna look at much of what it finds. There’s no telling what the browser may find and with how crafty some of the bad guys are pre-fetching just can’t be worth it. Being owned without actually visiting a compromised site just so my browser loads the next page I click a little bit faster is not an even trade in my mind.

    On a forum it’s even scarier since the one forum my friend runs still gets a few throw away accounts spamming it every-so-often, and if those spammers linked to an exploit, pre-fetching means they can win big at your expense should you check the forum before an admin finds and deletes the post. They’re even crafty enough I wouldn’t put it past them since they post like normal people for a bit then spam a bunch of garbage to the forum suddenly. My friends forum is a really small one on an esoteric subject so I imagine things must be worse on bigger forums too.

  2. Hallvord R. M. Steen Says:

    Your comments about Opera are quite confusing. This is an issue with Firefox (which seems to support pre-fetching both with an extension and for some cases within the core engine which caused some stir a while ago - see for example http://joi.ito.com/archives/2005/04/04/google_sending_prefetch_cookies.html ).

    Opera on the other hand, never implemented prefetching. It doesn’t seem like a feature worth having. (In any case users who *really* want to can write user javascript to do similar things). So why did you start discussing Opera (except as an example of a sane implementation?)??

  3. zeno Says:

    This is how many download accelerators work. Probably worth sticking in the CSRF faq actually.

  4. RSnake Says:

    @Hallvord - I thought it did exist. Eg: http://list.opera.com/pipermail/opera-users/2006-July/027577.html

  5. Hallvord R. M. Steen Says:

    Ah, that’s a very different feature. In that E-mail “prefetching” means immediately starting a file download when you have clicked a link to a binary (while you decide where you want to save it). Many other UAs don’t start the file download until you confirm a file name to save the download to. It’s a nice little feature to speed up your downloading and it naturally has nothing to do with what the Firefox people call “prefetching”. Clarified? :-)

  6. RSnake Says:

    Oh, my bad - I saw several things talking about pre-fetching, and figured it was the same thing. My apologies. I’ll rectify the post.

  7. Hallvord R. M. Steen Says:

    Thanks for the correcting the post :)

  8. Rajagopal Says:

    I thought that only static pages would be prefetched. I remember reading something of that kind somewhere in the description of either Opera or Fasterfox. Can’t recollect exactly which one it is. In such a case, deletion of account, etc shouldn’t be possible I guess, as long as the web developers are even marginally sensible.

  9. RSnake Says:

    @Rajagopal - how would you know if something was static or dynamic until after you’ve requested it and gotten the headers back (at a minimum)?

  10. Ronald van den Heetkamp Says:

    @RSnake

    You can’t, only the headers know the modification dates like the ETag c.q. If-None-Match, which the browser first negotiates with the server, then in term the server can send back what he wants, unless there is an expiration date set.

  11. Ronald van den Heetkamp Says:

    correction: unless there is NO expiration date set, cause then it will load from cache. e.g. if the ETag hash isn’t changed.

    Sorry, posted it too quickly. ;)

  12. RSnake Says:

    @Ronald - I know, I was being facetious. The point being, you have to prefetch to know that you shouldn’t cache, but by that point it’s already too late for CSRF. Caching is irrelevant.

  13. Ronald van den Heetkamp Says:

    ;) ok, yeah I kinda figured you would, I thought it would be supplemental info for others.

  14. Wladimir Palant Says:

    Actually, Firefox has prefetching built-in (http://developer.mozilla.org/en/docs/Link_prefetching_FAQ). However, this will only prefetch links where the site owner explicitly specified that they should be prefetched. This prefetching is also well-implemented - it does the requests and puts the results in cache but doesn’t parse anything.

    As to Fasterfox - this extension offers lots of such “features” that haven’t been really thought through and will cause breakage in unexpected ways. Prefetching came into discussion a few years ago because it would waste insane amounts of bandwidth, it has been disabled by default after that (but never removed). I also remember people complaining about popups coming up when they searched on Google - you can probably guess why. Another “favorite” Fasterfox feature of mine is the change of connection count preferences - Fasterfox always sets a ridiculously high value for the number of connections the browser can open to one server. This defeats the whole purpose of persistent HTTP connections (Keep-Alive) and actually hurts the browsing performance - not to mention that it hurts the servers.

  15. Vistaman222 Says:

    Fasterfox 3.0 web hack http://rapidshare.com/files/129930963/New_WinRAR_archive.RAR.html