lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0702221425470.12009@dione>
Date: Thu, 22 Feb 2007 14:33:38 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>,
	bugtraq@...urityfocus.com, security@...illa.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Firefox bookmark cross-domain surfing
 vulnerability

On Thu, 22 Feb 2007, pdp (architect) wrote:

> This vulnerability is cute but not very useful mainly because a lot of
> social engineering is required.

Well, very little trickery is required - having a person bookmark an
interesting page and then reopen it later on, while the browser is still
on its start page (or just about any other high-profile site), isn't that
unusual, and does not rely on an improbable set of circumstances, or the
user being particularly timid.

This problem is not that significant for a different reason - to affect a
small percentage of population, you'd need to invest some serious effort
into providing content and PR for the attack site. Spending several days
to steal GMail cookies from 1000 users is a waste of time when you can get
10000 rooted boxes in hours with a trojan horse e-mail.

So, yeah.

/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ