Vulnerability: Phishers can bypass the Firefox Phishing Filter very easily
This is far too easy; the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix.
Original advisory:
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
The discovery is on Bugzilla - a demonstration is mentioned in the comments. The URLs I tested with are two that are mentioned in the discussion being:
"http://222.173.145.98/.bankofamerica.com/sas/profile/step1.htm
triggers an alert
http://222.173.145.98/.bankofamerica.com//sas/profile/step1.htm
Does not trigger an alert"
Note this comment:
"Firefox is the only browser that fails with this, Opera's latest compilation has corrected this issue and IE is immune."
I can confirm that both of the above URLs trigger a phishing alert in Internet Explorer. Firefox 2.0.0.1 only flags the first URL as a phishing page.
According to Bugzilla, the "fix" is something that needs to be done at Google's end. I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 2.0.0.1 to see what the situation is. Sure enough, the problem continues, so why is the bug closed as "resolved fixed"?
How can we trust a phishing filter that can be bypassed so easily? The simple answer is that we cannot.