Mozilla Firefox Focus and Thunderbird URL Truncation Vulnerability

A URL spoofing vulnerability has been identified in Mozilla Firefox Focus for Android, specifically in version 139.0, as well as in Thunderbird versions prior to 141. These applications incorrectly truncated long URLs by cutting off the main domain, which is crucial for users to verify the authenticity of a website. This flaw allows attackers to disguise the true source of a site, potentially leading to phishing or other malicious activities.

Impact

This vulnerability undermines a key security feature in web browsers—the ability to accurately display and verify website identities. By obscuring the main domain, users may be misled about the legitimacy of a site, increasing the risk of falling victim to scams or misinformation.

Reproduction

To reproduce this vulnerability in Firefox Focus, install the app on an Android device and navigate to a website with a long subdomain that extends beyond the address bar's display capacity. The truncation will obscure the main domain, demonstrating how the issue can be exploited to mask the true source of a URL. In Thunderbird, the vulnerability can be observed by opening a message that contains a link with a long subdomain, which will be truncated in a way that hides the main domain.

Remediation

Users can update to Firefox Focus version 141.0 or later, and Thunderbird version 141.0 or later, to address this vulnerability.