Chad,
I would very much like to see your proof of concept.
Dale
On Jan 6, 2009, at 11:15 PM, Chad Etzel wrote:
Well and generously spoken, Damon.
I coded up a proof-of-concept site for this leak today. It works so
well it's scary. I am now quite hesitant to release the address
publicly because of the backlash I might receive for deceiving people
by sending them there. I may be willing to share it with this list,
though.
I hope Damon and I (and others!) will continue to be squeaky wheels
until something changes about this.
-Chad
On Tue, Jan 6, 2009 at 11:40 PM, Damon C <[email protected]>
wrote:
On Jan 6, 1:35 am, Chris Heilmann <[email protected]> wrote:
I find this to be particularly concerning from a privacy point of
view.
You can retrieve enough information about a user to even replicate
their home page. This could be particularly damaging from a
phishing
point of view. Not only can I spoof the Twitter home page, I can
now
spoof the home page of any user that visits it. Making it that much
more realistic.
And how is that news? I can always redirect you to twitter.com/home
and inject a script that sends your data somewhere else. Just use an
iframe and clickjacking. The point is not to stop legitimate uses of
data but to educate end users that it is just very stupid to enter
sensitive data in any form field - even the official ones - without
any encryption. For phishing purposes this is pretty pointless as
you
need to be logged in to get to that data. Being asked to log in
again
when you are obviously logged in succeeding as a phishing scam is a
problem with people, not technology. This is what it boils down to:
we've been so far removed from the people we try to protect with our
security language that we don't reach where it matters.
This is, however, one of the reasons I run with NoScript (FF
extension) when I'm browsing the web.
It is a good start but it doesn't protect you from redirection
tricks
or iframe tricks.
While this information _is_ publicly accessible, I want to
reiterate
that it is troubling how you can figure out which specific Twitter
user may be visiting your site.
It is more troubling if people don't log out at the end of a
session.
Paranoia is never a good thing. If you leave things logged in, you
are
vulnerable.
p.s. Nearly every web application has a "Remember Me" button. People
love convenience. But in our multi-tabbed world, people simply aren't
going to sign out of Twitter/Gmail every time they open a new tab in
Firefox or click on a link. I as a security professional might do
that, but it's unreasonable to assume the general public will. This
is
an unfortunately side-effect of how browsers and usage patterns have
evolved over time.
