Well and generously spoken, Damon. I coded up a proof-of-concept site for this leak today. It works so well it's scary. I am now quite hesitant to release the address publicly because of the backlash I might receive for deceiving people by sending them there. I may be willing to share it with this list, though.
I hope Damon and I (and others!) will continue to be squeaky wheels until something changes about this. -Chad On Tue, Jan 6, 2009 at 11:40 PM, Damon C <[email protected]> wrote: > > > > On Jan 6, 1:35 am, Chris Heilmann <[email protected]> wrote: >> > I find this to be particularly concerning from a privacy point of >> > view. >> >> > You can retrieve enough information about a user to even replicate >> > their home page. This could be particularly damaging from a phishing >> > point of view. Not only can I spoof the Twitter home page, I can now >> > spoof the home page of any user that visits it. Making it that much >> > more realistic. >> >> And how is that news? I can always redirect you to twitter.com/home >> and inject a script that sends your data somewhere else. Just use an >> iframe and clickjacking. The point is not to stop legitimate uses of >> data but to educate end users that it is just very stupid to enter >> sensitive data in any form field - even the official ones - without >> any encryption. For phishing purposes this is pretty pointless as you >> need to be logged in to get to that data. Being asked to log in again >> when you are obviously logged in succeeding as a phishing scam is a >> problem with people, not technology. This is what it boils down to: >> we've been so far removed from the people we try to protect with our >> security language that we don't reach where it matters. >> >> > This is, however, one of the reasons I run with NoScript (FF >> > extension) when I'm browsing the web. >> >> It is a good start but it doesn't protect you from redirection tricks >> or iframe tricks. >> >> > While this information _is_ publicly accessible, I want to reiterate >> > that it is troubling how you can figure out which specific Twitter >> > user may be visiting your site. >> >> It is more troubling if people don't log out at the end of a session. >> Paranoia is never a good thing. If you leave things logged in, you are >> vulnerable. > > p.s. Nearly every web application has a "Remember Me" button. People > love convenience. But in our multi-tabbed world, people simply aren't > going to sign out of Twitter/Gmail every time they open a new tab in > Firefox or click on a link. I as a security professional might do > that, but it's unreasonable to assume the general public will. This is > an unfortunately side-effect of how browsers and usage patterns have > evolved over time.
