Mozilla claims fixing flaw would create bigger headaches than dismissing it

UPDATED Mozilla is yet to fix a tricky URL address bar spoofing bug in Firefox which was first reported two years ago.

The exploit, developed by security researcher Luan Herrara, relies on the victim clicking anywhere on a booby-trapped website.

Thereafter if the target attempts to reach any other website using the address bar, they will remain on a spoofed page instead.

The impact of the vulnerability could be considerable. For example, the attacker page could steal your username and password from PayPal if the spoofed page looked like the legit online payment site.

Mozilla told The Daily Swig that fixing the flaw – which it rates as relatively mild – would cause more problems than it solves.

Stuck on Url

The Daily Swig has verified that the ruse continues to work on even the latest version of Firefox. The undesirable behavior is absent from Chrome, Safari, or other mainstream browsers.

Herrara highlighted that the flaw still worked – two years after they first reported it – through a post on Twitter earlier this week.

The exploit relies on using a variation of a resolved vulnerability in order to dismiss a dialog box that would otherwise warn surfers that they were anchored on a site.

Mozilla told The Daily Swig that far from ignoring the bug it had decided that fixing it caused more problems than it solved.

“One criterion we use to evaluate bugs is the trade-off between a ‘fix’ possibly causing more harm and the severity of the initial problem,” a Mozilla spokesperson explained. “That was the case with this particular bug which is why it remains open.

“Potential fixes present multiple navigational edge cases that could have been worse than the original problem.”

“We are still examining alternative approaches to address this issue,” they added.

This spoofing vulnerability received a sec-moderate security rating, meaning it “does not pose an ongoing or immediate danger to Firefox users”, according to Mozilla.

“In order to carry out an attack using this vulnerability, the user needs to navigate within the address bar and the attacker must know which website the user is attempting to visit, in order to spoof that specific site,” a Mozilla spokesperson said. “Furthermore, the spoofed site will not have the security and privacy indicators that typically appear on legitimate, non-spoofed websites (ie. lock indicators and shield icon).”


This story has been updated throughout to add comment on the bug from Mozilla.


READ MORE Firefox bug bounty: Mozilla raises payouts and abandons ‘first reporter wins’ policy