lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 17 Mar 2013 18:11:47 +0100
From: Roman Kümmel <ccuminn@...m.cz>
To: full-disclosure@...ts.grok.org.uk
Subject: Fake Applications in browser

Hello to everyone,
I thought to create any Proof of Concepts about faking applications in 
web browser after I saw "Browser Event hijacking" 
(http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/) with the 
CTRL+F trick and with fake search bar in browser.

It is possible to hijack user's admin password or their files with saved 
passwords or any configuration files, etc.

It is possible to make fake web browser in real web browser as well :) 
It allows to get Man in the middle position between users and web servers.

I presented this technique "Fake Applications in browser" in Prague at 
SOOM.cz Hacking & Security Conference (March 2013) and I describe it in 
the article 
http://www.soom.cz/index.php?name=articles/show&aid=637&title=Fake-Applications-in-Browser. 
It is written in czech language, so you must read it with (Google) 
translator.

Roman Kümmel aka .cCuMiNn.
http://www.soom.cz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ