|
Don't trust the Lock icon either!Want to see something scary? Try this link: https://www.paypal.comIt says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :| |
|
justin..needs sleep Mod join:1999-05-28 2031 |
justin
Mod
2003-Dec-11 1:07 am
Did you knock this site up? i was going to try an https redirect to see if it could be done, it seemed like it could but I didn't have a domain handy. |
|
|
Yes, I set it up. As long as the "real" webhost has a valid SSL certificate (and is issued by a root that is trusted by the browser), no warning is popped up at all. Scary, huh. |
|
justin..needs sleep Mod join:1999-05-28 2031 |
justin
Mod
2003-Dec-11 1:11 am
I figured it would work, as its just a display bug, really. Damn. I updated the news bit to link to your post demonstrating the fake encrypted site that gives no alerts about the certificate not matching what is displayed in the address bar. |
|
|
to The Way Out
omg no way!! you're one evil genius |
|
|
to The Way Out
Hmmmm...when I click it I get » secure.divo.net/notpaypal/ in the address bar. IE Version 6.0.2800.1106.xpsp2.030422-1633 |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
1 edit |
justin
Mod
2003-Dec-11 11:32 am
hover your link over his paypal link .. see (phish removed) ?
I added phish protection to these forums
but it did work just fine, he is right.
edit: protection will be lifted shortly just for his post. Try it later if you're still interested. |
|
kwitko7Shacklyn Nights Premium Member join:2000-06-10 Middle Village, NY |
to The Way Out
Interesting, using IE through Avant Browser, I get » www.paypal.com@secur ··· tpaypal/But using IE standalone I get: » www.paypal.com/Using Firebird I get » www.paypal.com%01@secure ··· tpaypal/ |
|
steven s Premium Member join:2002-09-14 Dearborn, MI |
to The Way Out
The address bar doesn't even say www.paypal.com It says "https://www.paypal.com%01@secure.divo.net/notpaypal/" |
|
petrus join:2002-01-09 Atlanta, GA 1 edit |
to kwitko7
Avant BrowserI experienced the same thing using Avant Browser. Does Avant Browser somehow make IE more secure? |
|
|
to justin
Re: Don't trust the Lock icon either!Thanks justin . You're right, it does work. Rather scary! |
|
GoogledYay, I have FIOS join:2001-08-13 Orchard Park, NY |
to justin
I was thinking some more about this bug and I came up with an even scarier usage. Using the Apache "Redirect" directive you can phish an entire site! Just put this into your httpd.conf! Redirect /test "http://www.domainyouwant.com^A@www.domainyouhave.com"
Now anyone who visits www.domainyouhave.com/test will be redirected to the phished site! Doing this makes IE automatically modify EVERY link on the page to a phished version! |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
justin
Mod
2003-Dec-12 5:48 pm
thats cute. I figured there would be creative use of redirectors.
I mean - you could post one of those "Special offer" links, the ones that nobody expects to look correct because they are long and have affiliate pay-on-click codes in them? - and then redirect to a phished version of SBC DSL signup page and keep them within it. Then collect credit card numbers for days before the victims noticed. |
|
mod bait Premium Member join:2001-06-11 Rochester, NY |
to The Way Out
/extreme_sarcasm
Well, hopefully, Microsoft will give this matter several weeks or months of careful consideration and analysis, as they seem to be with the recently-announced active scripting exploits.
|
|
|
to The Way Out
I actually blocked the link from showing up using ad blocker in norton IS |
|
HalfFull Premium Member join:2002-12-20 Chesapeake, VA |
to The Way Out
said by The Way Out: Want to see something scary? Try this link:
https://www.paypal.com
It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|
sad...since Micro$oft is to cheap to fix the flaw, legitimate businesses will be hurt as the security problem is more publicized. Computer-challenged people won't buy on-line because they will be afraid of a scam... |
|
ephilipps Premium Member join:2004-01-09 Buffalo, NY |
to The Way Out
ViruScan Enterprise pops a window just by opening the forum post. I guess Microsoft will get around to this soomer or later.... |
|