It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phis…
It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://cwe.mitre.org/data/definitions/1021.html →Open in CWE collection →The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
https://cwe.mitre.org/data/definitions/451.html →Open in CWE collection →Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.
https://capec.mitre.org/data/definitions/98.html →Open in CAPEC collection →An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.
https://capec.mitre.org/data/definitions/103.html →Open in CAPEC collection →An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.
https://capec.mitre.org/data/definitions/154.html →Open in CAPEC collection →An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
https://capec.mitre.org/data/definitions/163.html →Open in CAPEC collection →An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
https://capec.mitre.org/data/definitions/164.html →Open in CAPEC collection →An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.
https://capec.mitre.org/data/definitions/173.html →Open in CAPEC collection →An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.
https://capec.mitre.org/data/definitions/181.html →Open in CAPEC collection →In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
https://capec.mitre.org/data/definitions/222.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.
https://capec.mitre.org/data/definitions/504.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.
https://capec.mitre.org/data/definitions/506.html →Open in CAPEC collection →This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
https://capec.mitre.org/data/definitions/587.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.
https://capec.mitre.org/data/definitions/654.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked | |
| firefox | Tracked |