UPDATED: Despite the red flag raised by a security researcher, Mozilla says users are not likely to be duped by a bug that can be used to bypass an alert meant for obfuscated URLs in Firefox.
A bug in the Firefox browser that can be used to bypass an alert for obfuscated URLs is unlikely to trick users, according to Mozilla.
The flaw was uncovered by Armorize Technologies researcher Aditya K. Sood, who warned it could be used by purveyors of malware to increase the chance of leading users to malicious sites.
According to the bug report Sood filed to Bugzilla in June, Firefox implements a check when "a URL obfuscation is done in the address bar." Normally, the browser will display a warning if a user clicks on a link that contains a disguised address. However, if IFrames are used with the obfuscated URL, the alert notification is bypassed.
“On performing analysis of various malware, a bug has been noticed in all version[s] of Firefox which fails to generate an alert when [an] obfuscated URL is being placed in IFrames," Sood explained Aug. 16 in a blog post. "In certain cases, it can be used effectively in spreading malware and stealing sensitive information.”
Johnathan Nightingale, Mozilla’s director of Firefox development, however, said it was unlikely the bug could be effectively used by attackers to trick users. For this reason, Mozilla does not plan to issue a fix, according to the company’s Security Blog.