New Firefox iFrame Bug Bypasses URL Protections

UPDATED–There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users.

UPDATED–There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users.

Johnathan Nightingale of Mozilla said in a blog post late Tuesday that the bug poses little risk to users. “This issue poses very low risk to users. This attack relies on user
confusion about the true destination of a link, and only someone
examining the HTML source of the page would ever see the deceptive URL.
Most users do not view the source of loading pages, and are therefore
unlikely to be impacted by this attack,” Nightingale, the director of development for Firefox, wrote.

He added that the company doesn’t plan to fix the bug, as there is little chance of it being exploited. “There is currently no fix in plan since Mozilla does not believe this
can be used to attack users. Firefox ships with built-in phishing and
malware protection that warns users if they are attempting to visit a
dangerous URL, and these attempts at deception do not impact that
protection,” he wrote.

The problem of URL obfuscation is not a new one, and neither is it novel for attackers to use iFrames as an infection vector for visitors to a compromised Web site. Web-based attacks have been employing various forms of URL obfuscation for years now, and iFrames are a favorite of attackers because of their ability to perform malicious actions in the background of a victim’s Web session.

The new flaw, which already is in the Mozilla Bugzilla system, is in all of the current versions of Firefox, according to researchers at Web application security firm Armorize. URL obfuscation often is used by attackers to hide the true address of a malicious site that they’re directing users to, typically as part of a phishing or drive-by download attack. But browsers now check for this behavior and will warn users when a URL appears to have been tampered with, explaining that this may not be the site they’re looking for.

The Firefox bug defeats this protection, the Armorize researchers say.

“On performing analysis of various malware, a bug has been noticed in all
version of Firefox which fails to generate an alert when obfuscated URL
is being placed in Iframes. In certain cases, it can be used
effectively in spreading malware and stealing sensitive information.
While discussions on BugZilla, it is noticed that Firefox behavior is
completely different in these two scenarios which should not happen,” Aditya Sood of Armorize said in a blog post on the bug.
Many of the mass SQL injection attacks and other large-scale Web-site compromises that have cropped up in the last couple of years have used iFrames as part of their attack vector. The iFrames open in the background when users hit a given compromised page and often are used to deliver the actual malicious payload to the target machines.

This story was updated to add Nightingale’s statements about the effect of the bug and its exploitability.

Suggested articles


  • Anonymous on

    This is not limited to Firefox I have seen it in ie8 and it causes the browsers to freeze. The conections are mail and facebook.  It has been going on for 2 weeks to my knowledge.

  • Hans Schmucker on

    The bugzilla entry for this is #570658 and it basically states what is the case here: placing domain-like login data in an iframe has no purpose and does not constitute a threat because the iframe has no navigation bar that will actually display this url, which is why the confirmation isn't triggered. The only other way to exploit this is to fake the apparent target of a link, but we can use onclick, forwards (, ...) anyway for that purpose, so link targets are insecure by choice on the internet.

    This vulnerability isn't actually one.

  • Anonymous on

    You know for the past week I have noticed that when I click on yahoo to check my mail, when the window opens up to the page where you sign in and type your password.  If I look up at the top of the screen to the address line,  it is sometimes different.

    Most of the time it ends with the letter ym,  but sometimes now it has about three for four more  ,,  it will look like this instead ym&rl=1

    The page looks almost identical as the reg yahoo sign in page but if I click on the address at the top and delete the everything past the m,  and hit enter it goes to another yahoo sign in page with a different picture.   Can anyone tell me if my computer is comprmised?

  • Anonymous on

    This is a non-issue and not a vulnerability.  Way to research your articles....


  • Anonymous on

    I'd say it is an issue if my browser takes to freezing up in my yahoo mail even after i have run every scan possible and come up with a clean pc. More to the point who has access to everything that was loaded after the browser is restarted? especially since the page goes directly back to mail page past the password page without stopping?

  • Anonymous on

    also according to buzilla's Bug 570658 it list vista only I am running xpsp3

  • Anonymous on

    Well, its not about the platform. It works fine on all major versions. Primarily, they scrutinize the User Agent string which notifies about the running operating system i.e. tested on vista.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.