UPDATED:Despite the red flag raised by a security researcher, Mozilla says users are not likely to be duped by a bug that can be used to bypass an alert meant for obfuscated URLs in Firefox.
A bug in the Firefox browser that can be used to bypass an
alert for obfuscated URLs is unlikely to trick users, according to
The flaw was uncovered by Armorize Technologies researcher
Aditya K. Sood, who warned it could be used by purveyors of
malware to increase the chance of leading users to malicious sites.
According to the bug report Sood filed to Bugzilla in June
Firefox implements a check when "a URL obfuscation is done in the
address bar." Normally, the browser will display a warning if a user
clicks on a link that contains a disguised address. However, if IFrames
are used with the obfuscated URL, the alert notification is bypassed.
"On performing analysis of various malware, a bug has been noticed
in all version[s] of Firefox which fails to generate an alert when [an]
obfuscated URL is being placed in IFrames," Sood explained Aug. 16 in a
blog post. "In certain cases, it can be used effectively in spreading
malware and stealing sensitive information."
Johnathan Nightingale, Mozilla's director of Firefox development,
however, said it was unlikely the bug could be effectively used by attackers to trick users
. For this reason, Mozilla does not plan to issue a fix, according to the company's Security Blog.
"The concern expressed in the bug is that a page could be
constructed with an embedded IFrame that uses a confusing URL,"
Nightingale said in a statement. "Most users don't look at the HTML
source of the pages they are loading, which is the only way you'd
encounter this URL. We do not anticipate this bug would cause user
confusion or deception. Firefox ships with built-in phishing and
malware protection that warns users if they are attempting to visit a
*This story was updated to add additional comment from Mozilla.