Updated: A relative POC is released HERE
The inline frames play a crucial part in sharing and delivering third party content through them. But this is also a hardened fact that Iframes are used effectively by malware writers to spread infection across domains in a hidden manner. But the question is , Do browsers play significant role in this?
The URL obfuscation is a big stringency in the online world. Actually, it tests the browser efficiency to dissect the behavior of crafted URL. That has to be done. The browsers have shown a rogue behavior in determining the source and destination of URL's when it is obfuscated or fused with meta characters. This is dangerous from a user perspective because a victim can go to undesired destination. Well, lot of changes have been noticed in browser development with respect to that but in certain conditions , browsers still fail to find the authentic nature of URL's being rendered in the browser. A Google Chrome URL Obfuscation Vulnerability can be seen HERE
Further, a recent bug has been posed to BugZilla ID - 570658 regarding the behavior of IFrames and Frames handling the URL obfuscation. Firefox implements a notification alert to user when a obfuscated URL is used in the address bar as follows
On performing analysis of various malware, a bug has been noticed in all version of Firefox which fails to generate an alert when obfuscated URL is being placed in Iframes. In certain cases, it can be used effectively in spreading malware and stealing sensitive information. While discussions on BugZilla, it is noticed that Firefox behavior is completely different in these two scenarios which should not happen. The bug is in open state now. The major improvements can be seen in the following trunk
A generic POC can be considered as
[iframe src="http://firstname.lastname@example.org" width="600" height="600" /];
May be it is considered as a fact that frames are not shown directly but this is a bug by behavior. We can expect some changes in coming time regarding this falsified behavior.
Read more (rest of article)...