Feeds

Mozilla eases fears over phishy URL alert

User confusion unlikely

SANS - Survey on application security programs

Mozilla developers have eased concerns about the severity of a security feature in Firefox that often fails to warn users when they've encountered obfuscated URLs that might lead to malicious websites.

Developers of the open-source browser have known of the URL warning bypass since at least June, when it was reported here. Under most circumstances, Firefox will display a warning when users click on links that contain addresses that have been obfuscated to hide their true destination. But when users encounter encoded URLs in inline frames embedded in a webpage, no such alert is delivered.

“This impacts the user security because obfuscated links in the iframes might trick the user to visit false links,” the person reporting the behavior wrote.

On Tuesday, the same person, who turns out to be a researcher from web security firm Armorize, repeated the warning. “In certain cases, it can be used effectively in spreading malware and stealing sensitive information,” Aditya K Sood wrote on the Armorize blog.

But Mozilla said Tuesday that they don't believe the behavior represents much of a risk because the obfuscated links aren't visible during normal surfing, anyway.

“Most users don't look at the HTML source of the pages they are loading, which is the only way you'd encounter this URL,” Johnathan Nightingale, Mozilla's director of Firefox development, said in a statement. “We do not anticipate this bug would cause user confusion or deception.”

The statement went on to remind world+dog that Firefox ships with protection that automatically warns users when they're about to access pages identified in phishing or malware scams.

In his post, Sood also pointed to this link in suggesting that Google Chrome exhibited its own obfuscated URL bypass behavior. ®

The headline and first sentence of this article were updated clarify Mozilla's statement.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.