The Way Out
join:2003-01-20
| Don't trust the Lock icon either!
Want to see something scary? Try this link:
https://www.paypal.com
It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :| |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | Did you knock this site up? i was going to try an https redirect to see if it could be done, it seemed like it could but I didn't have a domain handy. |
|
The Way Out
join:2003-01-20 | Yes, I set it up. As long as the "real" webhost has a valid SSL certificate (and is issued by a root that is trusted by the browser), no warning is popped up at all. Scary, huh. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | I figured it would work, as its just a display bug, really. Damn. I updated the news bit to link to your post demonstrating the fake encrypted site that gives no alerts about the certificate not matching what is displayed in the address bar. |
|
espionage007
join:2003-06-14
Herndon, VA | reply to The Way Out
omg no way!! you're one evil genius |
|
Fireshield
join:2001-10-08
Champlin, MN | reply to The Way Out
Hmmmm...when I click it I get »https://secure.divo.net/notpaypal/ in the address bar.
IE Version 6.0.2800.1106.xpsp2.030422-1633 |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
1 edit | hover your link over his paypal link .. see (phish removed) ?
I added phish protection to these forums
but it did work just fine, he is right.
edit: protection will be lifted shortly just for his post. Try it later if you're still interested. |
|
kwitko
Shacklyn Nights
Premium
join:2000-06-10
Middle Village, NY
| reply to The Way Out
Interesting, using IE through Avant Browser, I get
»https://www.paypal.com�@secure.divo.n···tpaypal/
But using IE standalone I get:
»https://www.paypal.com/
Using Firebird I get
»https://www.paypal.com%01@secure.divo.net/notpaypal/
--
"Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule."-- David Guaspari |
|
steven s
Premium
join:2002-09-14
Dearborn, MI | reply to The Way Out
The address bar doesn't even say www.paypal.com
It says "https://www.paypal.com%01@secure.divo.net/notpaypal/" |
|
petrus
join:2002-01-09
Atlanta, GA
1 edit | reply to kwitko
Avant Browser
I experienced the same thing using Avant Browser. Does Avant Browser somehow make IE more secure? |
|
Fireshield
join:2001-10-08
Champlin, MN | reply to justin
Re: Don't trust the Lock icon either!
Thanks justin  . You're right, it does work. Rather scary! |
|
Googled
Yay, I have FIOS
join:2001-08-13
Orchard Park, NY
 ·VoicePulse
 ·Verizon FIOS
|  reply to justin
I was thinking some more about this bug and I came up with an even scarier usage.
Using the Apache "Redirect" directive you can phish an entire site! Just put this into your httpd.conf!
Redirect /test "http://www.domainyouwant.com^A@www.domainyouhave.com"
Now anyone who visits www.domainyouhave.com/test will be redirected to the phished site! Doing this makes IE automatically modify EVERY link on the page to a phished version!
--
DirecWay DW3000 DRS, SatMex 5 1170 gateway 164, P3-533/256 MB, AOL+ 7.0 4114.10712 on 98SE w/ICS,shared to 2 x 2K Pro, 1 x Redhat Linux 7.3, 1 x Netgear 802.11b |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| thats cute. I figured there would be creative use of redirectors.
I mean - you could post one of those "Special offer" links, the ones that nobody expects to look correct because they are long and have affiliate pay-on-click codes in them? - and then redirect to a phished version of SBC DSL signup page and keep them within it. Then collect credit card numbers for days before the victims noticed. |
|
mod bait
Premium
join:2001-06-11
Rochester, NY
| reply to The Way Out
/extreme_sarcasm
Well, hopefully, Microsoft will give this matter several weeks or months of careful consideration and analysis, as they seem to be with the recently-announced active scripting exploits.
--
"Security is a tax on the honest." --Bruce Schneier, Beyond Fear, Copernicus, 2003 |
|
jbone_99
join:2003-12-21
Washington, DC | reply to The Way Out
I actually blocked the link from showing up using ad blocker in norton IS |
|
HalfFull
Premium
join:2002-12-20
Chesapeake, VA
| reply to The Way Out
said by The Way Out :
Want to see something scary? Try this link:
https://www.paypal.com
It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|
sad...since Micro$oft is to cheap to fix the flaw, legitimate businesses will be hurt as the security problem is more publicized. Computer-challenged people won't buy on-line because they will be afraid of a scam... |
|
ephilipps
Premium
join:2004-01-09
Depew, NY | reply to The Way Out
ViruScan Enterprise pops a window just by opening the forum post. I guess Microsoft will get around to this soomer or later.... |
|
