 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to ZOverLord
Re: New IE Vulnerability Allows Address Bar Spoofing I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? |
|
 ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | said by Snowy:I'ts very clear that the 'exploit' does not use any input/submit actions. To put it another way, do you believe a phish could load a fake page with a CC# input box, have that box filled out & then submitted elsewhere all the while the page is loading? Sure, but then you would see a page re-load and wonder whats going on, why not display for example the logon page right away, you would never know how long someone took to fill field information before you timed out, so it would be best to display the bogus page ASAP, which is what people are doing.
Actually, even this PoC is using a LONG delay so you can see the original Google page to get a better visual idea of what's going on. The real exploits of this are not so kind.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | Getting someone to land on the fake page is the phish challenge so if you mean that a phish run this exploit from it's fake page then the phish doesn't really need to utilize this exploit. I just can't seem see how it's helping a phish. |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | said by Snowy:Getting someone to land on the fake page is the phish challenge so if you mean that a phish run this exploit from it's fake page then the phish doesn't really need to utilize this exploit. I just can't seem see how it's helping a phish. Getting someone to land on a fake page is as easy as hacking a trusted web site and making changes.
You might say "So What!" well many people use the same ID and passwords on many sites. So, simply having the ability to hack one web site with a large user base might allow one to gain email ID's ("Which also might use the same passwords").
Once you have the Email ID's and passwords, you might be able to use PayPal for example for many people. It can go on and on.
You also might be able to get the Admin logon ID's for that site, if an Admin logs in as well. If that Admin uses a cpanel for example, you might be able to control that site as well.
So it's much easier than you might imagine, especially, with some of the PHP exploits that are present today.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
| I got Google plus prompt to "Allow sub-frames to navigate across different domains". Denied action. Google sat there with www.google.com in the address bar.
Reran the test, this time allowing the action. Got Secunia page, »secunia.com/19521_swf_result/, but with URL as shown. No sign of google, just Secunia page as shown. This implies I am not vulnerable.
--
Dan |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 | reply to ZOverLord
Z, If you've taken over a server why hang around to capture login credentials.
Getting traffic that intends to land at 'chase' but instead lands at the compromised server where you have loaded a chase phish is still the phish's #1 challenge. |
|
ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | said by Snowy:Z, If you've taken over a server why hang around to capture login credentials. Getting traffic that intends to land at 'chase' but instead lands at the compromised server where you have loaded a chase phish is still the phish's #1 challenge. When you say Hang, it's not like you can't multi-task, and getting someones credit card is NOT the only method to get funds, actually, PayPal is easier, as well as gaining passwords for other sites.
I mean Imagine if you are dumb enough to use the same ID and password internet wide.
Now, if I can find your password on ONE site, and it also is used for all other sites including email, first thing most will do is hit Ebay and see if they can logon as you, as well as other places, maybe Amazon and so on, sooner or later there is no need for you to PERSONALLY enter any credit card info, it can be found without your help.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
|
|
 KrKHeavy Artillery For The Little GuyPremium
join:2000-01-17
Tulsa, OK
 ·AT&T DSL Service
| reply to Snowy
said by Snowy:I just can't seem see how it's helping a phish. I think it helps the phisher because when the user is presented with a page requesting his login/passwords/user info or whatever and they "check" their URL box to see if they are on that server and it's a match..... except they aren't really on that server.
Basically it helps reassure the end user that "everything is ok, go ahead and enter your information" when in fact everything is far from OK.
--
"Regulatory capitalism is when companies invest in lawyers, lobbyists, and politicians, instead of plant, people, and customer service." - former FCC Chairman William Kennard (A real FCC Chairman, unlike the current Corporate Spokesperson in the job!) |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| That's the thing.
I'm not convinced that a fake "log-in" page can be displayed AND filled out AND sent while the fake page is timing out/being displayed. The length of time the fake page is displayed doesn't matter as far as I can tell because once it time outs it's gone along with any input. |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to ZOverLord
said by ZOverLord:Getting someone to land on a fake page is as easy as hacking a trusted web site and making changes. ... might allow one to gain email ID's ...("Which also might use the same passwords"). ...you might be able to use PayPal ...You also might be able to get the Admin logon ...you might be able to control that site as well. Quite a number of "mights" there 
As shown in the bank spoofing thread, there are a number of ways to protect against this.
Regarding this particular vulnerability - I just emailed a friend, first time taking care of her own computer - about three months now. She went to the test site and the test failed. Why? Her IE settings blocked it, as she was taught.
Phone everyone you know who uses IE and there will be that fewer number of people vulnerable.
|
|
nonymousPremium
join:2003-09-08
Glendale, AZ Reviews:
 ·Callcentric
| said by mysec:said by ZOverLord:Getting someone to land on a fake page is as easy as hacking a trusted web site and making changes. ... might allow one to gain email ID's ...("Which also might use the same passwords"). ...you might be able to use PayPal ...You also might be able to get the Admin logon ...you might be able to control that site as well. Quite a number of "mights" there As shown in the bank spoofing thread, there are a number of ways to protect against this. Regarding this particular vulnerability - I just emailed a friend, first time taking care of her own computer - about three months now. She went to the test site and the test failed. Why? Her IE settings blocked it, as she was taught. Phone everyone you know who uses IE and there will be that fewer number of people vulnerable. what setting blocked it. |
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | said by nonymous:what setting blocked it. High, which disables Active Scripting. From Secunia:
Solution: Disable Active Scripting support.
»secunia.com/advisories/19521/ |
|
