Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Phishing - feature or flaw

from [Secure Science Corporation Bugtraq] Network Security [Permanent Link]
Subject: Phishing - feature or flaw
Date: Fri, 24 Jun 2005 15:38:18 -0700 
Hi,

Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test

Are these really features, or are they flaws now because of the phishing threat vector. Originally javascript/DHTML/DOM is pretty powerful and can do a lot of nasty stuff if someone were inclined. But phishing has caused us to take a look at the once dubbed features of DHTML, and possibly put responsibility onto the browser vendors for fixing these now dubbed "flaws".

For example, is this a flaw - https://slam.securescience.com/threats/mixed.html (some mozilla browsers don't like Thawte yet so you will get a warning). This is a standard frame with the URL domain as https://slam.securescience.com, but the body is https://www.bankone.com - take a look at the lock icon - it will only verify the url domain - is that a browser issue, a CA issue, or a feature?

As we all have seen, one can use DHTML to create a popup and replace a mimicked address bar if one were so incline (dirty rendition at http://ip.securescience.net/exploits/ (popup blockers off and it was designed for IE). Feature, or flaw?


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MDKSA-2005:105 - Updated dbus packages fix vulnerability, Mandriva Security Team
Next by Date:  Re: Bluetooth SIG Denial of Service vulnerability, next
Previous by Thread:  MDKSA-2005:105 - Updated dbus packages fix vulnerability, Mandriva Security Team
Next by Thread:  Phishing Solutions (was: Phishing - feature or flaw), Chris Brenton
Indexes:  [Date] [Thread] [Top] [All Lists]