[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <242a0a8f0606070917ic80b49dm97b18d84bd3473ce@mail.gmail.com>
Date: Wed Jun 7 17:17:51 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: file upload widgets in IE and Firefox have
issues
On 6/7/06, Michel Lemay <mlemay@...eo.com> wrote:
> Would it be possible to use a similar technique to generate an URL with
> query parameters containing user keystrokes? This URL could then be
> submitted to any compromised website. The attacker could then look into
> logs and have a peek at theses submitted requests.
Yes, people have prototyped javascript key loggers.
http://www.whitehatsec.com/presentations/phishing_superbait.pdf
The whole presentation is pretty good, but the specific example
relevant to your question starts around page 28. I don't know of any
attacks like this seen in the wild so far. The presentation suggests
that once two-factor auth becomes common this is where attackers will
go next. That makes sense to me.
- Brian
Powered by blists - more mailing lists