Spoof

This spoof works with Mozilla Firefox version 0.9, 0.9.1, 0.9.2, and the "nightlies" through at least 20040730. This particular demo does not work in the Mozilla Browser, but I know of no reason one could not be created.

For this spoof to have maximal effect, you must have the following settings at their default, out-of-the-box state:

Web Features | Advanced | Allow Javascript to hide the status bar
Default selection of toolbars and toolbar buttons
No particularly bizarre browser extensions installed
Javascript should be enabled.

View the spoof that mimics the interface of Firefox versions 0.9.0 - 0.9.2
View the spoof that mimics later versions of the interface of Firefox (nightly builds)
[update 2x] Apparently this only works on on some MacOS X boxes. [thanks ed, Markus]... please give me feedback on what it does and doesn't work on. Tell me your operating system, exact Firefox build number (Help | About , down at the bottom), and what doesn't work.

You can try the following things

Double-click on the padlock icon in the lower left corner (or in the URL bar, for the second spoof).
Click the "View" button on the security dialog that pops up
Change the browser's theme

Discussion/Links

For some good discussion on the issue, see these links:

Bug 22183. This is the first mention of the problem that I am aware of. It was marked confidential for five years until 7-21-2004. Update: use this bug to track the issue.
Bug 244965. While this isn't actually isn't quite the same thing (James Ross found a security flaw related to the loading of XUL), there is some discussion about spoofing in the comments.
MozillaZine post. This is my original disclosure on the problem. Because the spoof seemed so obvious, I was sure that somebody had done it before (they had, in fact, but the bugs on bugzilla were marked confidental), so I wasn't too concerned with actually filing a bug.
Bug 252198. This is the bug that I eventually filed. IMHO, it's become a duplicate of Bug 22183, but that bug was confidential when I first published. Update: It's official, this bug is a dup of Bug 22183.
Secunia's advisory. The press.

Limitations

Yes, the fake toolbar buttons don't do anything when clicked. Yes, the menu items are all dead. But they don't have to be. A diligent bad guy could produce enough modified XULs to emulate nearly the entire browser. If the padlock icon can be made to work, anything can work.
So what is safe from tampering? A bad guy can't read your browser preferences. He doesn't know whether you use large toolbar icons or small ones, what your bookmarks are, or what sort of extensions you have installed.

Timeline

1999-12-20: Original discovery by joro@nat.bg.
2004-7-18: I independently stumbled on the problem (while trying to tech myself enough XUL to write a browser extension, actually)
2004-7-19: I published to MozillaZine and, later, to Bugzilla.
2004-7-30: The press, astute as always, catches wind of the matter.

Why 5 Years?

I keep getting this question in my email, so I'll try and provide my response here. Please note that this is my personal, uninformed, not-officially-affiliated-with-the-Mozilla-Foundation, unfactual opinion.
The original bug was filed 5 years ago. The year 1999 was a completely different internet than we have now. Back then, the Mozilla folks were just trying to get a functioning browser out the door. However, the only people who actually used it were nerds and geeks. These tech-savvy users didn't often fall for paypal, ebay, and banking scams. Back in 1999, there really weren't any scams like that. "Phishing" was not in anybody's dictionary.
So with a world like that, a bug that said "theoretically, somebody could make a window that looks like something it isn't" didn't scare many people. The developers had better things to work on, like making the browser work.
The bug was filed, and duly examined. Some suggestions were made, some patches were produced, but in the end, it all seemed kinda silly. People more or less forgot about the bug.
Now, I'm not a Mozilla developer, so I don't know a whole lot about their bug-tracking system. But somehow, they don't seem to do a lot to re-examine old bugs and resolve them. There are a lot of things floating around in their bug database that seem to be permanently unresolved.
Well, flash forward to the year 2004. Spoofing attacks like this are suddenly common, and Real People are finding themselves sans identity, or $2000. In my opinion, this is a result of three factors: the average internet-user is getting less and less computer-savvy, more people are using the internet for vital financial matters (like online banking, credit cards, stock trading, paypal, and shopping), and a certain large vendor's mishandling of the web browser market has resulted in a dangerously-insecure monoculture.
So, do I think that the Mozilla Foundation went and actively suppressed a bug like this? No. Do I think that they take security seriously? Yes. Do I think that they screwed up? Maybe a little. Do I think that they should modify their development process to eliminate oversights like this? Maybe a little.

I hope that answered some of your questions.

--Jeff

ps, Although you can't see it here, the XUL files are being preloaded at this page, so they pop up almost instantly when you activate them. Since I'm no Javascript guru, I used a clunky splunge to force them to be preloaded; that's why there are a few javascript errors listed in the console.

Page last updated on 8-2-2004. I do not provide any guarantee that this page will be here in a year, so please don't link to it with expectation of permanency.