Mozilla is joining Google Chrome and Microsoft Edge in a fight against phishing sites that abuse the loading of data URIs in the Firefox navigation bar, BleepingComputer reports. Mozilla is scheduled to activate the feature that will block the loading of data URIs in Firefox 59, although the mechanism has been active in Firefox Nightly and Developer edition.
As BleepingComputer’s article explains, the URI scheme was first introduced in 1998 and it allows developers to load files represented as ASCII-encoded octet stream inside other documents. Being able to include text-based or image files inside HTML documents instead of loading each resource via a separate HTTP request has made it quite popular among website developers. This is due to search engines ranking websites based on the page loading speed, and if many HTTP requests are made, the site loads much slower, which makes it rank lower.
The URI scheme did not get past scammers, and they started abusing data URI by utilizing the technique in phishing campaigns, or even tech-support scams.
“The most abused cases are “data:text/html;base64” and “data:application/x-javascript;base64″ URIs, which provide a way to embed malicious HTML and JavaScript code inside legitimate sites,” author of the article Catalin Cimpanu explains.
Popular browsers like Google Chrome and Microsoft Edge have started blocking the loading of data URI inside the URL navigation bars due to the fact that URI can be loaded inside the browser navigation bar to render files directly, and use malicious code to hide the real URL.
Firefox has started working on preventing the abuse of data URIs, and say that they aim to block top-level data URI navigations which are mainly used for phishing.
“We only want to block top-level data URI navigations which are mostly used for phishing,” Christoph Kerschbaumer, one of Mozilla engineers said to BleepingComputer. “I don’t see any actual use case for those navigations (besides actual phishing attempts).”
Security features will be released in Firefox 59
The security feature that will block data URI was not made active in the new Firefox 57 release. However, data URI blocking has been active in Firefox Nightly and Developer edition, and Firefox 56 and 57 users can enable it.
“Users can enable data URI blocking in Firefox 56 and 57 by typing “about:config” in the URL bar and accessing Firefox’s hidden configuration panel. Here, they must search for “security.data_uri.block_toplevel_data_uri_navigations” and double-click to enable the feature in Firefox right now”, Cimpanu explains.
If clicked on links that point to data URI, the link will not work.