lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Feb 2007 13:43:48 +0000 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: "Michal Zalewski" <lcamtuf@...ne.ids.pl> Cc: bugtraq@...urityfocus.com, security@...illa.org, full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability well placed splog network can reach millions of users in a couple of hours. On 2/22/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote: > On Thu, 22 Feb 2007, pdp (architect) wrote: > > > This vulnerability is cute but not very useful mainly because a lot of > > social engineering is required. > > Well, very little trickery is required - having a person bookmark an > interesting page and then reopen it later on, while the browser is still > on its start page (or just about any other high-profile site), isn't that > unusual, and does not rely on an improbable set of circumstances, or the > user being particularly timid. > > This problem is not that significant for a different reason - to affect a > small percentage of population, you'd need to invest some serious effort > into providing content and PR for the attack site. Spending several days > to steal GMail cookies from 1000 users is a waste of time when you can get > 10000 rooted boxes in hours with a trojan horse e-mail. > > So, yeah. > > /mz > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
Powered by blists - more mailing lists