lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 May 2016 03:51:29 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: Danny Kopping <dannykopping@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] Skype Phishing Attack

oh no - please don't post each and every phishing attack on FD becasue 
then we would see nothing else when mailadmins start to do the same

Am 11.05.2016 um 22:57 schrieb Danny Kopping:
> First-time poster here. I've been told to submit this issue to FD since
> Microsoft's Security Team rejected this out of hand because it doesn't meet
> their arbitrary definition of a vulnerability.
>
> "Thank you for contacting the Microsoft Security Response Center (MSRC).
> Upon investigation we have determined that this is not a valid
> vulnerability."
>
> Below is the original message i sent to secure@...rosoft.com:
>
> *------------------- Original Message -------------------*
> Hi
>
> I've found a way to conduct a phishing attack on unsuspecting users by
> exploiting the image preview functionality found in modern versions of
> Skype (only tested on Mac so far).
>
> Right at the outset here I'll say that i'm not a security researcher, just
> a lowly programmer.
>
> The exploit is very very simple.
> Skype announces that it is fetching an image preview when requesting an
> HTTP(S) link from a server. The User-Agent header is:
>
> Mozilla/5.0 (Windows NT 6.1; WOW64) *SkypeUriPreview* Preview/0.5
>
> This can be exploited to respond with different (even if not malicious)
> content which is disingenuous.
>
> My proof of concept can be found here:
> http://infomaniac.co.za/skype-phish/
>
> In Skype, when the link is pasted, appears like this:
> [image: Inline image 1]
>
> And when clicked, you are shown a Facebook login form:
> [image: Inline image 2]
>
> After filling out the form and submitting it, you then see:
>
> [image: Inline image 3]
>
> The exploit is very simple and the code can be found here:
> http://infomaniac.co.za/phish.zip
>
> I hope Skype will take steps to improve the safety and security of its
> regular non-technical users.
>
> I believe this particular issue can be mitigated by simply not including a
> specific User-Agent string in requests.
>
> Thank you


Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists