Mozilla allows websites to disable various browser status elements. This allows websites to create spoofed dialogs using XUL.
An attacker could convince a user that they were viewing a native Mozilla dialog, when in fact they are visiting a page created by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords. The attacker could also spoof pop-up windows that do not display the address bar.
Disable the ability to hide status items
These preferences can also be set via the user.js file.
This vulnerability was reported by David Ahmad. The workaround was provided by Asa Dotzler.
This document was written by Will Dormann.
|Date First Published:||2004-12-17|
|Date Last Updated:||2004-12-22 15:05 UTC|