On Tue, 14 Jun 2011 16:26:59 EDT, Jeffrey Walton said: > : One security expert familiar with the investigation wondered > : how the hackers could have known to breach security by > : focusing on the vulnerability in the browser. "It would have > : been hard to prepare for this type of vulnerability," he said. > : The security expert insisted on anonymity because the > : inquiry was at an early stage. > A vulnerability in the browser which results in server access. > Something sounds fishy, and he/she should remain anonymous.
It's called "sarcasm". No security professional could have *possibly* predicted that using a URL that looks like https://www.big-bank.com/account=134233433 could possibly be attacked, and it's *so* hard to design your web interface to prepare for that sort of session hijacking....
pgpfLfQqo5hZS.pgp
Description: PGP signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
