[vox-tech] New phishing vulnerability

Ken Bloom vox-tech@lists.lugod.org
Sat, 13 Dec 2003 18:27:48 -0800


--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Dec 12, 2003 at 07:12:10PM -0800, Bill Kendrick wrote:
> On Sat, Dec 13, 2003 at 02:18:08AM +0000, Rob Rogers wrote:
> >  But the question is what does it show in the status bar while
> > hovering? The 0x01 bug only affects IE, but the %00 bug affects both
> > IE and Moz (at least 1.5) I'd be interested what NS 4.7 does.
>=20
> While I agree it's some concern, the status bar isn't NEARLY as important
> as what's show in the URL field at the top.
>=20
> Status bar can get covered up or altered easily with JavaScript.
> (Hover on an URL and status bar can say "Click that link to go to foobar"=
=2E..
> or the site could be running one of those hiddeously irritating
> scrollers.)
>=20
> Of course, turn off JavaScript, and it's less of a concern... until you g=
et
> to...
>=20
> URLs which are JavaScript function calls.  How many times have I wanted to
> look at a screenshot, or submit my answers to a survey question, and the
> URL is "javascript:void(0);"? >:^(
>=20
> Who knows WHAT server a link like that will go to?
>=20
>=20
> And finally, there's always HTML form links.  I haven't seen a browser th=
at
> puts any kind of "this form submits to: http://www.foo.bar/blah.cgi" noti=
ce
> in the status bar when you hover over the Submit button.
>=20
> Combine that with "<input type=3D"image"..." submit buttons, and it looks
> like any old "<a href=3D"..."><img src=3D"..."></a>" link... except nothi=
ng will
> appear in the status bar.  (Or sometimes it'll show X/Y coordinates,
> since it's using the image as an imagemap.)
>=20
>=20
> Finally, one of the other really irritating tricks out there, which is ki=
nd
> of similar to this "0x01" bug in IE, is the use of frames.  Display
> two frames... one is 0 pixels tall, the other fills the rest of the windo=
w,
> and displays the content of some other site.
>=20
> The URL at the top will always remain "http://www.foo.com/frame-page.html=
",
> while you're happy browsing "www.bar.net/..." URLs in the window.
>=20
>=20
> Man, I hate the web. :)

Would you forward your email to some of the open source browser projects=20
(Mozilla, Galeon, Konqueror) they might be interested in building in=20
more browser security features, especially simple ones like the status=20
bar.
--=20
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about=20
signing the key. ***** My computer can't give you viruses by email. ***

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/28qjlHapveKyytERAvJWAJoDPDt7QaTIFY9DhWW/R20OBij+OQCeNKDA
fC2lRbk87/srJfI7L6i/JuM=
=E+OX
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--