lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040324085750.39307.qmail@web25102.mail.ukl.yahoo.com>
From: r4bb1t_f00d at yahoo.co.uk (rabbit food)
Subject: .MAC Phishing .. Security through obscurity

Thanks for your constructive academic response Peter, 

Useless 
 > Information 

Hm, that would depend on the attackers perspective, an
authenticated redirector may
protect apple from unsoliciated use of their
redirect (think about it).

Also if you take a moment to think about the way in
which this could be exploited with a little
bit of html..javascript, some fun could be had, if
you were maliciously inclined.

But of course, chains and week links are always
part of the fun. 


> It may be possible to redirect a naive .Mac webmail 
 > user, to another site, possibly, one mocked up as 
 > webmail (a user may ignore the fact SSL is not 
 > present). 
 > 
 > http://webmail.mac.com/redirect/http://your url 
 
How is this different from <<ANY>> other redirect
attack. Why is this a ".MAC  
 Webmail phishing attack" ??? 

Hmmmm, think about that one Peter(didn't say there was
anything special about, the more reason why it should
be noticed).
 

Is there anything special about .mac webmail that
makes this kind of attack any  
 easier? This is not some intuitive leap here... 

>>>>>
Indeed a correct observation, maybe something apple
could respond to.


Now the IE obfuscated (look up the definition in
dictionary.com) redirection  
 bug, that was good. It could even be crafted to make
the little lock icon  
 appear. 
 >>

Indeed.
There are always sparter people and things out there.

I just don't want some ignorant reporter reading your
message and thinking "oh  
 my god, Apple's email service is full of holes!!!" 


Which reporters are you talking about? ignorance is
rife, just take a look back over the past 300 years of
the printed press....and isn't this full-disclosure.

Take a chill-pill dude.

r4bb1t



 





	
	
		
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ