lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri Oct 21 08:15:55 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).

Scott Melnick to me:

> It has been that way for a long time. Sometime the underlined link is in
> the form of Click Here to be redirected. Phishing schemes have been
> using this in emails for a good long time as well. Especially the ebay
> account ones that I'm sure everyone has seen about account information.

"because "it works" does NOT mean that is how it is supposed to be...

And, even if "this is how it is supposed to be" by some or rather 
interpretation of some standard does not mean that we cannot question 
the desirability (or even the sanity) of that "standard" and/or of 
sticking to implementing it!

Even if this behaviour is "correct" (which seems entirely open to 
debate if you read the mess of responses), I will continue to argue 
that _this particular form_ of duping the user is so undesirable as to 
be a total misfeature AND SHOULD BE REMOVED on the grounds the standard 
is clearly totally bozoid in this case.

...

Oh, and I can't be sure, but I suspect that the phishing schemes you 
are referring to are actually those I see quite a lot using the "fool 
the status bar display of the destination URL with a broken MAP tag 
improperly embedded in an HREF" trick (which only works in IE, and 
maybe some versions of Opera).  If so, you are wrong again and the 
"problem" is not the HTML spec, or Javascript, or anything but total 
lack of concern for standards compliance in Redmond...  (And yes, there 
are other tags apart from MAP that can be used in that trick, but they 
are very rarely used by the phishers...)


Regards,

Nick FitzGerald

Powered by blists - more mailing lists