Firefox vulnerable to Extended Validation spoof
Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for phishing attacks where a malicious page can spoof the identify of another seemingly secure site.
That’s the description of a security problem in Firefox, Thunderbird and SeaMonkey inside Mozilla Foundation Security Advisory 2012-33, with impact high. It’s the problem I discovered earlier this year in Firefox 9 and the bug is even present in Firefox 3.6. Please update to Firefox 12 (ESR: 10.0.4), Thunderbird 12.0 (ESR: 10.0.4) and SeaMonkey 2.9, which were released yesterday.
It wouldn’t be wise to provide all technical details at this time about how it works. However, I can illustrate what you can do with it:
This video used a valid certificate for jeroenvandergun.nl, but the spoof visually replaces it with the Extended Validation certificate of Twitter. If you don’t have a certificate yourself, you can also do the attack without HTTPS: the user can then see the lack of HTTPS in the address bar, but he will still see the security indication in the site identity button. If the victim certificate does not feature Extended Validation, you can use it to spoof a secure connection to your own domain without HTTPS.
I will post more technical information about this bug on this blog later on, so stay tuned.
Update: Mozilla has disclosed all information regarding bug 714631. This includes all technical information.