Description
The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Non-Repudiation, Access Control: Hide Activities, Bypass Protection Mechanism
Potential Mitigations
Phase: Implementation
Description:
Perform data validation (e.g. syntax, length, etc.) before interpreting the data.
Phase: Architecture and Design
Description:
Create a strategy for presenting information, and plan for how to display unusual characters.
CVE References
- CVE-2004-2227
- Web browser’s filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
- CVE-2001-0398
- Attachment with many spaces in filename bypasses “dangerous content” warning and uses different icon. Likely resultant.
- CVE-2001-0643
- Misrepresentation and equivalence issue.
- CVE-2005-0593
- Lock spoofing from several different weaknesses.
- CVE-2004-1104
- Incorrect indicator: web browser can be tricked into presenting the wrong URL
- CVE-2005-0143
- Incorrect indicator: Lock icon displayed when an insecure page loads a binary file loaded from a trusted site.
- CVE-2005-0144
- Incorrect indicator: Secure “lock” icon is presented for one channel, while an insecure page is being simultaneously loaded in another channel.
- CVE-2004-0761
- Incorrect indicator: Certain redirect sequences cause security lock icon to appear in web browser, even when page is not encrypted.
- CVE-2004-2219
- Incorrect indicator: Spoofing via multi-step attack that causes incorrect information to be displayed in browser address bar.
- CVE-2004-0537
- Overlay: Wide “favorites” icon can overlay and obscure address bar
- CVE-2005-2271
- Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
- CVE-2005-2272
- Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
- CVE-2005-2273
- Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
- CVE-2005-2274
- Visual distinction: Web browsers do not clearly associate a Javascript dialog box with the web page that generated it, allowing spoof of the source of the dialog. “origin validation error” of a sort?
- CVE-2001-1410
- Visual distinction: Browser allows attackers to create chromeless windows and spoof victim’s display using unprotected Javascript method.
- CVE-2002-0197
- Visual distinction: Chat client allows remote attackers to spoof encrypted, trusted messages with lines that begin with a special sequence, which makes the message appear legitimate.
- CVE-2005-0831
- Visual distinction: Product allows spoofing names of other users by registering with a username containing hex-encoded characters.
- CVE-2003-1025
- Visual truncation: Special character in URL causes web browser to truncate the user portion of the “user@domain” URL, hiding real domain in the address bar.
- CVE-2005-0243
- Visual truncation: Chat client does not display long filenames in file dialog boxes, allowing dangerous extensions via manipulations including (1) many spaces and (2) multiple file extensions.
- CVE-2005-1575
- Visual truncation: Web browser file download type can be hidden using whitespace.
- CVE-2004-2530
- Visual truncation: Visual truncation in chat client using whitespace to hide dangerous file extension.
- CVE-2005-0590
- Visual truncation: Dialog box in web browser allows user to spoof the hostname via a long “user:pass” sequence in the URL, which appears before the real hostname.
- CVE-2004-1451
- Visual truncation: Null character in URL prevents entire URL from being displayed in web browser.
- CVE-2004-2258
- Miscellaneous — [step-based attack, GUI] — Password-protected tab can be bypassed by switching to another tab, then back to original tab.
- CVE-2005-1678
- Miscellaneous — Dangerous file extensions not displayed.
- CVE-2002-0722
- Miscellaneous — Web browser allows remote attackers to misrepresent the source of a file in the File Download dialog box.