The question is how much of an actual additional phishing risk this type of information leak is. The browsers have accidentally conducted an experiment for us. The result so far appears to indicate that this information provides little additional benefit to phishers as they haven't used it for known successful attacks. Additional data most welcomed.
Btw: The primary use case of Webfinger will provide similar clues. On Tuesday, December 15, 2009, SitG Admin <[email protected]> wrote: > > Note that all of these except the last are about how to use this for useful > purposes or just playing around; > > > Note? I put them in that order deliberately! The questions on this thread > were about how widespread this exploit is "in the wild", and, as you can see, > there are plenty of reasons for *good-intentioned* developers to practice it. > > > the last one is a theoretical note that says "this may be useful for > phishing" but doesn't give a specific attack > > > You can find working implementations in the first set of links. That they > double as attack vectors, despite being utilized for a benevolent purpose, > wasn't something I saw any need to explain. > > -Shade > -- -- John Panzer / Google [email protected] / abstractioneer.org / @jpanzer _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
