Iframes / objects can apparently bypass phishing protection in Firefox 2.0.0.3 and Opera 9.10 - IE7 is unaffected
As reported on bugtraq@securityfocus.com by "nsp", Firefox 2.0.0.3 and Opera 9.10 apparently fail to detect a phishing site if it is embeded in an IFRAME / OBJECT label:
Demonstration pages can be seen here (warning, the URLs will prompt to install a Chinese language pack - there is no need to install the language pack):
http://zonafirefox.googlepages.com/prueba.html (using Javascript to create an iframe object)
http://zonafirefox.googlepages.com/prueba2.html (without Javascript)
The author of the email, nsp, states:
"Also, the following code can be used to bypass the phishing protection:
"<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>"
The tests were realized using several many sites from Phishtank database. IE7 has no problems."
As a reminder, other problems with the Firefox phishing filter were revealed when it was reported back in February that the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix:
http://msmvps.com/blogs/spywaresucks/archive/2007/02/12/570602.aspx
According to Bugzilla, the "fix" for the backslash problem is something that needs to be done at Google's end. I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 2.0.0.1 to see what the situation is. Sure enough, the problem continues, so why was the bug closed as "resolved fixed"?