Mozilla Foundation Security Advisory 2005-04

Secure site lock can be spoofed with view-source:

Announced
January 21, 2005
Reporter
Kohei Yoshino
Impact
Low
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1
  • Mozilla Suite 1.7.5

Description

Kohei Yoshino reports the secure site lock icon can be spoofed by using a view-source: URL targetted at the secure site whose credentials you want to appropriate. An insecure page of the attackers choice can then be loaded while the lock icon shows the previous secure state.

This could potentially be abused by phishers to make their fake login sites appear more authentic.

Workaround

Upgrade to fixed version

References

https://bugzilla.mozilla.org/show_bug.cgi?id=262689