-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2011 09:13, Michal Zalewski wrote: >> For example: did you know that if you click on a link from coredump.cx >> to microsoft.com and it opens in a new window, then a second or two >> later, that coredump.cx in the background can change the URL of the >> microsoft.com window, and point it to evil.com? Heck, coredump.cx can >> even wait until you navigate further down the microsoft.com website - >> and detect that event programmatically. That behavior is enshrined >> within the current design of the same-origin policy, and browser >> vendors seem hesitant to touch it. > > Here's a tiny PoC: > http://lcamtuf.coredump.cx/switch/ > > /mz
I run with no script. So the links showed on the initial pages and when clicked. The same address as the links appeared in the address bar when I clicked the links. Running with scripting enabled and clicking the do it button caused this to appear in the address bar: "data:text/html;np.cx/beaver/" I do online banking and being paranoid I do check the address bar and look for https and the "verified by: VeriSign, Inc" popup when mouse over the domain. If anything even slightly suspicious occurs when connecting to my banking logon I will inspect the certificate and may even examine the page source depending on how suspicious I am that my bookmarks may have been compromised or the page is not what I expect it to be. Obviously many users are not this paranoid else wise phishing would not be as successful as it is. Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuCEubIvn8UFHWSmAQKN2wgAjMe2BOEo2sSetsfhnEGBGzTjtaW9RYsq eXyYVHOp8gkt9xkvoob4sjK1LV5zuM43qaP2s3TGcQrsx1A3Aqho+C1NuHP70y2f 5E9l8Y4dibifoERzal8yDjBEMJKqi7fbHuYkWz4xrBFyX9fz8GhZbsGI2Sef5621 Df99Ro6jRGfPqMhFcCQLwgudwdz8BDTBIyoYofpqH29su11mOOWvsRieBEfIcYM8 ENnJ8hsBrYy4f9a4b8KNfe6bukiHkIhaH5Td1r/HIxFiUkphAbmXtU7BD3mfo0Cs gvLr8ePOHVCHPUo5hiYhA1nhHRrKDqvpd7D6IvE7BgsqMhrhlYN41Q== =BX4Q -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
