Iframes / objects can apparently bypass phishing protection in Firefox 188.8.131.52 and Opera 9.10 - IE7 is unaffected
As reported on email@example.com by "nsp", Firefox 184.108.40.206 and Opera 9.10 apparently fail to detect a phishing site if it is embeded in an IFRAME / OBJECT label:
Demonstration pages can be seen here (warning, the URLs will prompt to install a Chinese language pack - there is no need to install the language pack):
The author of the email, nsp, states:
"Also, the following code can be used to bypass the phishing protection:
"<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>"
The tests were realized using several many sites from Phishtank database. IE7 has no problems."
As a reminder, other problems with the Firefox phishing filter were revealed when it was reported back in February that the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix:
According to Bugzilla, the "fix" for the backslash problem is something that needs to be done at Google's end. I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 220.127.116.11 to see what the situation is. Sure enough, the problem continues, so why was the bug closed as "resolved fixed"?