Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase,

from [Amir Herzberg] Network Security [Permanent Link]
Subject: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
Date: Mon, 25 Oct 2004 09:13:03 +0200
"David Wall @ Yozons, Inc." responded to me: 
and most visible and sensitive web sites still ask users to enter
passwords into unprotected web forms - making it trivial for attackers
to emulate these pages and steal passwords. These include PayPal, chase,
 Microsoft's passport, Yahoo!, eBay, TD Waterhouse,...  (I've checked
most of them about a month ago and this was still the case; I've checked
 PayPal today...)

Your tool may be nice, but Paypal does redirect to an SSL site if you type
in paypal.com or www.paypal.com and if you click the "log in" link.

PayPal redirects to SSL site once you hit the `log in` link, but it also asks users for userid and password directly at its (unprotected) homepage, http://www.paypal.com. The same holds for Chase, Yahoo! etc (see screen shots and links from the paper, http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm).
Some of them (e.g. Chase) are especially misleading as they display a padlock next to the `login` button, which users may interpret as `this is protected`. But of course these pages are not protected at all so they are trivial to spoof (and collect the passwords).

Of course, this helps, but since most web users are not savvy and don't use
your tool, such a "fix" rarely helps.

Exactly my point. Conclusions:
1. Web users should be encouraged to use TrustBar (or browsers, or add-ins, providing equivalent functionality).
2. Browser developers should incorporate TrustBar (or equivalent mechanisms). This should be easy, esp. since our project is open-source (http://trustbar.mozdev.org) and as far as I know patent-free.
3. Web site designers should be more sensitive to this threat... It is amazing that such major sites have such obvious and trivial to fix vulnerabilities, and noticed I've informed them all; the only positive response I got was some discount vouchers from TD Waterhouse - but really I would have preferred, if they also acted on my trivial recommendation...

After all, someone who is naive
enough to follow such paypal links probably doesn't know anything about
keeping themselves safe online, which is why they are targeted.
Here you are wrong; the problem is at the mail paypal site so many users - even not naive - may reach this site.

Best, Amir Herzberg
http://AmirHerzberg.com
Associate Professor, Computer science department, Bar Ilan University

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: Hacking/security in main-stream media, David Sanchez
Next by Date:  Re: Re[2]: Hacking/security in main-stream media, Morgan Reed
Previous by Thread:  .NET Articles and OWASP T10 Spanish, Mark Curphey
Next by Thread:  RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ..., Yvan G.J. Boily
Indexes:  [Date] [Thread] [Top] [All Lists]