Phishing - feature or flaw

From: Secure Science Corporation Bugtraq (bugtraq_at_securescience.net)
Date: 06/25/05

Next message: next_at_securityfocus.com: "Re: Bluetooth SIG Denial of Service vulnerability"

Previous message: Mandriva Security Team: "MDKSA-2005:105 - Updated dbus packages fix vulnerability"
Next in thread: Chris Brenton: "Phishing Solutions (was: Phishing - feature or flaw)"
Reply: Chris Brenton: "Phishing Solutions (was: Phishing - feature or flaw)"
Maybe reply: David A. Wheeler: "Re: Phishing - feature or flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 Jun 2005 15:38:18 -0700
To: bugtraq@securityfocus.com

Hi,

Regarding certain vulnerabilities that are being discovered such as
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test

Are these really features, or are they flaws now because of the phishing
threat vector. Originally javascript/DHTML/DOM is pretty powerful and
can do a lot of nasty stuff if someone were inclined. But phishing has
caused us to take a look at the once dubbed features of DHTML, and
possibly put responsibility onto the browser vendors for fixing these
now dubbed "flaws".

For example, is this a flaw -
https://slam.securescience.com/threats/mixed.html (some mozilla browsers
don't like Thawte yet so you will get a warning). This is a standard
frame with the URL domain as https://slam.securescience.com, but the
body is https://www.bankone.com - take a look at the lock icon - it will
only verify the url domain - is that a browser issue, a CA issue, or a
feature?

As we all have seen, one can use DHTML to create a popup and replace a
mimicked address bar if one were so incline (dirty rendition at
http://ip.securescience.net/exploits/ (popup blockers off and it was
designed for IE). Feature, or flaw?

-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!

Next message: next_at_securityfocus.com: "Re: Bluetooth SIG Denial of Service vulnerability"

Previous message: Mandriva Security Team: "MDKSA-2005:105 - Updated dbus packages fix vulnerability"
Next in thread: Chris Brenton: "Phishing Solutions (was: Phishing - feature or flaw)"
Reply: Chris Brenton: "Phishing Solutions (was: Phishing - feature or flaw)"
Maybe reply: David A. Wheeler: "Re: Phishing - feature or flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: URL-Spoofing vulnerability
... And altough phishing will happen to one ... >flaw would be fooled by other flaws that cause similar ... do you think they install new Microsoft ... Neither this exploit or a patch to fix it is going ...
(microsoft.public.security)
Phishing Solutions (was: Phishing - feature or flaw)
... > Are these really features, or are they flaws now because of the phishing ... Jun 25 14:13:38 mail MailScanner: Found phishing fraud from ... webserver.osdepym.com.ar claiming to be www.paypal.com in j5PIDRkJ010804 ...
(Bugtraq)