Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.

Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.

• Subject:
  Firefox 2.0.0.1 Phishing Protection bypass
  Opera 9.10 Fraud Protection bypass

• Version:
  Firefox 2.0.0.1 [ Linux | Windows ]
  Opera 9.10 Final [ Linux build 521 | Windows build 8679 ]

• Discovered by:
  Kanedaaa: http://kaneda.bohater.net

• Impact:
  Low

• Firefox Phishing Protection Description:
  Phishing Protection takes Firefoxs security to a new level, helping to safeguard your
  financial information and protect you from identity theft. When you encounter a Web site
  that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to
  take you to a search page so you can find the real Web site you were looking for.

• Opera Fraud Protection Description:
  Oslo, Norway - December 18, 2006 Opera Software today introduced real-time Fraud Protection
  in its award-winning Web browser. Fraud Protection includes technology from GeoTrust, the
  leading digital certificate provider, and PhishTank, a collaborative clearing house for
  data and information about phishing on the Internet. Fraud Protection is available in Opera
  9.1, the newest version of Opera's Web browser. Opera is available completely free at
  www.opera.com.

• Bypass Description
  It is possible to bypass Fraud Protection by add some characters to URL address. URL will
  be still valid and will work properly but we are not aware of Phishing warning.

At 2006.11 when version 9.10 was developed and Fraud Protection was tested I found that
when we add "." char at the end of domain in URL field - DNS systems still resolve this
address, Host: directive in HTTP GET will not break WWW server answer BUT for Fraud
Protection it will be another site than original and Fraud Test will fail. For example:
http://kaneda.bohater.net. != http://kaneda.bohater.net

After post to http://bugs.opera.com and on devel Opera forum, they made fix. [great!] In
Opera 9.10 this bug dosn't work of course.

But today when I`m running Final 9.10 version I have found that when I added "/" character
at the end of domain in URL it failed Phishing test again !!!

Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning
will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

FireFox is vulnerable in that same way.

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL:
http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near
future to abusive actions.

• Opera Timeline:
  2006.12.20 bug discovered
  2006.12.21 "/" bug sended to http://bugs.opera.com
  2007.01.19 no response and patch from vendor - probably will be fixed in future
  2007.02.06 posted to Bugtraq

• Firefox Timeline:
  2007.01.09 bug discovered
  2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538]
  2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
  2007.02.06 posted to Bugtraq

Original Advisory:
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
http://kaneda.bohater.net/security/20061220-opera_9.10_final_bypass_fraud_protection.php

–
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]…
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down…
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa… Bohateur… Cucumber Team Member… [email protected]