There is a newly discovered vulnerability in Mozilla’s flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user’s sensitive information.
The problem of URL obfuscation is not a new one, and neither is it novel for attackers to use iFrames as an infection vector for visitors to a compromised Web site. Web-based attacks have been employing various forms of URL obfuscation for years now, and iFrames are a favorite of attackers because of their ability to perform malicious actions in the background of a victim’s Web session. The new bug in Firefox could allow an attacker to combine these two techniques to prevent the browser from warning the victim that a URL has been modified, removing a key protection mechanism from the equation.
Read the full article here.