lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C12C33FB9D17644817F45CDE1966274146D53@arthurdent.home.jalojash.org>
Date: Wed, 9 May 2007 11:10:15 -0700
From: "Jim Harrison" <Jim@...tools.org>
To: <yashks@...il.com>, <bugtraq@...urityfocus.com>
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method

(copied here without permission)
Step by Step Demo:

- Download POC from http://tracingbug.com/downloads/citihook.zip and
unzip to some directory
- Launch citihook.exe, this will watch only
https://www.online.citibank.co.in/ URL

Effectively, "Let me install my malware on your machine to demonstrate
how vulnerable it is."

P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
The "problem" ceases to be a vulnerability at this point.

-----Original Message-----
From: yashks@...il.com [mailto:yashks@...il.com] 
Sent: Monday, May 07, 2007 3:03 AM
To: bugtraq@...urityfocus.com
Subject: Defeating Citibank Virtual Keyboard protection using screenshot
method

Severity: Critical 

Platforms Affected:

Microsoft Corporation: Windows 98 Any version 
Microsoft Corporation: Windows Me Any version 
Microsoft Corporation: Windows XP Any version
Microsoft Corporation: Windows 2000 Any version 
Microsoft Corporation: Windows 2003 Any version 
Microsoft Corporation: Windows NT 4.0 Any version
Citi-Bank: Citi-Bank Virtual Keyboard Any version 

Browsers:
Microsoft Internet Explorer Any version
Mozilla FireFox Any version
Any browser runs on Win32 platform ( With slight modification )

Original URL : http://www.tracingbug.com/index.php/articles/view/23.html

Regards,
Yash K.S <yashks@...il.com > | www.tracingbug.com

All mail to and from this domain is GFI-scanned.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ