Spoof
This spoof works with Mozilla Firefox version 0.9, 0.9.1, 0.9.2, and the "nightlies" through at least 20040730. This particular demo does not work in the Mozilla Browser, but I know of no reason one could not be created.
For this spoof to have maximal effect, you must have the following settings at their default, out-of-the-box state:
- Web Features | Advanced | Allow Javascript to hide the status bar
- Default selection of toolbars and toolbar buttons
- No particularly bizarre browser extensions installed
- Javascript should be enabled.
View the spoof that mimics the interface of Firefox versions 0.9.0 - 0.9.2
View the spoof that mimics later versions of the interface of Firefox (nightly builds)
if you don't have Firefox (you should get it!). .
[update] Apparently this doesn't work on MacOS X [thanks ed]... please give me feedback on what it does and doesn't work on. Tell me your operating system, exact Firefox build number (Help | About , down at the bottom), and what doesn't work.
You can try the following things
- Double-click on the padlock icon in the lower left corner (or in the URL bar, for the second spoof).
- Click the "View" button on the security dialog that pops up
- Change the browser's theme
Discussion/Links
For some good discussion on the issue, see these links:
- Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004.
- Bug 244965. While this isn't actually isn't quite the same thing (James Ross found a security flaw related to the loading of XUL), there is some discussion about spoofing in the comments.
- MozillaZine post. This is my original disclosure on the problem. Because the spoof seemed so obvious, I was sure that somebody had done it before (they had, in fact, but the bugs on bugzilla were marked confidental), so I wasn't too concerned with actually filing a bug.
- Bug 252198. This is the bug that I eventually filed. IMHO, it's become a duplicate of Bug 22183, but that bug was confidential when I first published.
- Secunia's advisory. The press.
Limitations
Yes, the fake toolbar buttons don't do anything when clicked. Yes, the menu items are all dead. But they don't have to be. A diligent bad guy could produce enough modified XULs to emulate nearly the entire browser. If the padlock icon can be made to work, anything can work.
So what is safe from tampering? A bad guy can't read your browser preferences. He doesn't know whether you use large toolbar icons or small ones, what your bookmarks are, or what sort of extensions you have installed.
Timeline
- 1999-12-20: Original discovery by joro@nat.bg.
- 2004-7-18: I independently stumbled on the problem (while trying to tech myself enough XUL to write a browser extension, actually)
- 2004-7-19: I published to MozillaZine and, later, to Bugzilla.
- 2004-7-30: The press, astute as always, catches wind of the matter.
--Jeff
ps, Although you can't see it here, the XUL files are being preloaded at this page, so they pop up almost instantly when you activate them. Since I'm no Javascript guru, I used a clunky splunge to force them to be preloaded; that's why there are a few javascript errors listed in the console.
Page last updated on 7-30-2004. I do not provide any guarantee that this page will be here in a year, so please don't link to it with expectation of permanency.