[vox-tech] New phishing vulnerability
Bill Kendrick
vox-tech@lists.lugod.org
Fri, 12 Dec 2003 19:12:10 -0800
On Sat, Dec 13, 2003 at 02:18:08AM +0000, Rob Rogers wrote:
> But the question is what does it show in the status bar while
> hovering? The 0x01 bug only affects IE, but the %00 bug affects both
> IE and Moz (at least 1.5) I'd be interested what NS 4.7 does.
While I agree it's some concern, the status bar isn't NEARLY as important
as what's show in the URL field at the top.
Status bar can get covered up or altered easily with JavaScript.
(Hover on an URL and status bar can say "Click that link to go to foobar"...
or the site could be running one of those hiddeously irritating
scrollers.)
Of course, turn off JavaScript, and it's less of a concern... until you get
to...
URLs which are JavaScript function calls. How many times have I wanted to
look at a screenshot, or submit my answers to a survey question, and the
URL is "javascript:void(0);"? >:^(
Who knows WHAT server a link like that will go to?
And finally, there's always HTML form links. I haven't seen a browser that
puts any kind of "this form submits to: http://www.foo.bar/blah.cgi" notice
in the status bar when you hover over the Submit button.
Combine that with "<input type="image"..." submit buttons, and it looks
like any old "<a href="..."><img src="..."></a>" link... except nothing will
appear in the status bar. (Or sometimes it'll show X/Y coordinates,
since it's using the image as an imagemap.)
Finally, one of the other really irritating tricks out there, which is kind
of similar to this "0x01" bug in IE, is the use of frames. Display
two frames... one is 0 pixels tall, the other fills the rest of the window,
and displays the content of some other site.
The URL at the top will always remain "http://www.foo.com/frame-page.html",
while you're happy browsing "www.bar.net/..." URLs in the window.
Man, I hate the web. :)
-bill!
bill@newbreedsoftware.com Got kids? Get Tux Paint!
http://newbreedsoftware.com/bill/ http://newbreedsoftware.com/tuxpaint/