lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Oct 21 08:15:55 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Scott Melnick to me: > It has been that way for a long time. Sometime the underlined link is in > the form of Click Here to be redirected. Phishing schemes have been > using this in emails for a good long time as well. Especially the ebay > account ones that I'm sure everyone has seen about account information. "because "it works" does NOT mean that is how it is supposed to be... And, even if "this is how it is supposed to be" by some or rather interpretation of some standard does not mean that we cannot question the desirability (or even the sanity) of that "standard" and/or of sticking to implementing it! Even if this behaviour is "correct" (which seems entirely open to debate if you read the mess of responses), I will continue to argue that _this particular form_ of duping the user is so undesirable as to be a total misfeature AND SHOULD BE REMOVED on the grounds the standard is clearly totally bozoid in this case. ... Oh, and I can't be sure, but I suspect that the phishing schemes you are referring to are actually those I see quite a lot using the "fool the status bar display of the destination URL with a broken MAP tag improperly embedded in an HREF" trick (which only works in IE, and maybe some versions of Opera). If so, you are wrong again and the "problem" is not the HTML spec, or Javascript, or anything but total lack of concern for standards compliance in Redmond... (And yes, there are other tags apart from MAP that can be used in that trick, but they are very rarely used by the phishers...) Regards, Nick FitzGerald
Powered by blists - more mailing lists