I see a couple other problems with this idea too. First, this is the first phishing scheme I've seen that loaded the actual homepage. Most just steal their logos.
Yes.. that was actually what got me thinking.. when image files are loaded with a referrer that isn't "local" maybe they should be replaced with fraud warnings. It's not 100% effective, and if it became widespread then it would relatively easy to circumvent, but it would probably prevent a few ID thefts. While referrer is optional, it's controlled by the browser, and the people most likely to fall for these schemes are going to be running stock browsers without things like privacy screening proxies that strip them out.
Secondly, I'm almost potitive that your browser
wouldn't send encoded characters in the referer. Your browser would have
already decoded them, and it would send them unencoded.
Why would your browser decode them? The browser usually does nothing with a URL except pass it unmodified to the server. When I write log processing scripts.. I have to decode them if I want to get consistent results.
As for usernames, I don't think your browser would EVER send that as part of the referer.
Yet they are.. Along with the CGI arguments, This was used a while back to steal hotmail/webmail accounts. Send somebody HTML email with an <img> tag which gets fetched from a server you have access to, and the referrer (used to) give you a fully functional URL into their mailbox. This has been fixed with almost all web-based email clients now.
That would be a MAJOR security flaw.
And it has been exploited...
-- Mitch
_______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
