> I find this to be particularly concerning from a privacy point of > view. > > You can retrieve enough information about a user to even replicate > their home page. This could be particularly damaging from a phishing > point of view. Not only can I spoof the Twitter home page, I can now > spoof the home page of any user that visits it. Making it that much > more realistic.
And how is that news? I can always redirect you to twitter.com/home and inject a script that sends your data somewhere else. Just use an iframe and clickjacking. The point is not to stop legitimate uses of data but to educate end users that it is just very stupid to enter sensitive data in any form field - even the official ones - without any encryption. For phishing purposes this is pretty pointless as you need to be logged in to get to that data. Being asked to log in again when you are obviously logged in succeeding as a phishing scam is a problem with people, not technology. This is what it boils down to: we've been so far removed from the people we try to protect with our security language that we don't reach where it matters. > This is, however, one of the reasons I run with NoScript (FF > extension) when I'm browsing the web. It is a good start but it doesn't protect you from redirection tricks or iframe tricks. > While this information _is_ publicly accessible, I want to reiterate > that it is troubling how you can figure out which specific Twitter > user may be visiting your site. It is more troubling if people don't log out at the end of a session. Paranoia is never a good thing. If you leave things logged in, you are vulnerable.
