On Jan 6, 1:35 am, Chris Heilmann <chris.heilm...@gmail.com> wrote:
> > I find this to be particularly concerning from a privacy point of
> > view.
>
> > You can retrieve enough information about a user to even replicate
> > their home page. This could be particularly damaging from a phishing
> > point of view. Not only can I spoof the Twitter home page, I can now
> > spoof the home page of any user that visits it. Making it that much
> > more realistic.
>
> And how is that news? I can always redirect you to twitter.com/home
> and inject a script that sends your data somewhere else. Just use an
> iframe and clickjacking. The point is not to stop legitimate uses of
> data but to educate end users that it is just very stupid to enter
> sensitive data in any form field - even the official ones - without
> any encryption. For phishing purposes this is pretty pointless as you
> need to be logged in to get to that data. Being asked to log in again
> when you are obviously logged in succeeding as a phishing scam is a
> problem with people, not technology. This is what it boils down to:
> we've been so far removed from the people we try to protect with our
> security language that we don't reach where it matters.
>
> > This is, however, one of the reasons I run with NoScript (FF
> > extension) when I'm browsing the web.
>
> It is a good start but it doesn't protect you from redirection tricks
> or iframe tricks.
>
> > While this information _is_ publicly accessible, I want to reiterate
> > that it is troubling how you can figure out which specific Twitter
> > user may be visiting your site.
>
> It is more troubling if people don't log out at the end of a session.
> Paranoia is never a good thing. If you leave things logged in, you are
> vulnerable.
p.s. Nearly every web application has a "Remember Me" button. People
love convenience. But in our multi-tabbed world, people simply aren't
going to sign out of Twitter/Gmail every time they open a new tab in
Firefox or click on a link. I as a security professional might do
that, but it's unreasonable to assume the general public will. This is
an unfortunately side-effect of how browsers and usage patterns have
evolved over time.
