lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 08 Dec 2011 09:34:49 +0000
From: Dave <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2011 09:13, Michal Zalewski wrote:
>> For example: did you know that if you click on a link from coredump.cx
>> to microsoft.com and it opens in a new window, then a second or two
>> later, that coredump.cx in the background can change the URL of the
>> microsoft.com window, and point it to evil.com? Heck, coredump.cx can
>> even wait until you navigate further down the microsoft.com website -
>> and detect that event programmatically. That behavior is enshrined
>> within the current design of the same-origin policy, and browser
>> vendors seem hesitant to touch it.
> 
> Here's a tiny PoC:
> http://lcamtuf.coredump.cx/switch/
> 
> /mz

I run with no script. So the links showed on the initial pages and when clicked. The same address as the links appeared in the address bar when
I clicked the links.

Running with scripting enabled and clicking the do it button caused this to appear in the address bar: "data:text/html;np.cx/beaver/"

I do online banking and being paranoid I do check the address bar and look for https and the "verified by: VeriSign, Inc" popup when mouse over
the domain. If anything even slightly suspicious occurs when connecting to my banking logon I will inspect the certificate and may even examine
the page source depending on how suspicious I am that my bookmarks may have been compromised or the page is not what I expect it to be.

Obviously many users are not this paranoid else wise phishing would not be as successful as it is.

Dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTuCEubIvn8UFHWSmAQKN2wgAjMe2BOEo2sSetsfhnEGBGzTjtaW9RYsq
eXyYVHOp8gkt9xkvoob4sjK1LV5zuM43qaP2s3TGcQrsx1A3Aqho+C1NuHP70y2f
5E9l8Y4dibifoERzal8yDjBEMJKqi7fbHuYkWz4xrBFyX9fz8GhZbsGI2Sef5621
Df99Ro6jRGfPqMhFcCQLwgudwdz8BDTBIyoYofpqH29su11mOOWvsRieBEfIcYM8
ENnJ8hsBrYy4f9a4b8KNfe6bukiHkIhaH5Td1r/HIxFiUkphAbmXtU7BD3mfo0Cs
gvLr8ePOHVCHPUo5hiYhA1nhHRrKDqvpd7D6IvE7BgsqMhrhlYN41Q==
=BX4Q
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ