June 25th, 2005, 09:25 PM
Phishing -- Feature or Flaw
This came in about a half hour ago from Bugtraq so I thought I'd post it here for those of you that aren't subscribed to the mailing list..
It has some good points in it... These "flaws" that are being reported were originally intended as features... So is it really the browser manufactures responsibility to fix these... and are they still features or are they now flaws because of how they're being used.
Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers...erability_test
For example, is this a flaw -
(some mozilla browsers don't like Thawte yet so you will get a warning). This is a standard frame with the URL domain as https://slam.securescience.com,
but the body is https://www.bankone.com
- take a look at the lock icon - it will only verify the url domain - is that a browser issue, a CA issue, or a feature?
As we all have seen, one can use DHTML to create a popup and replace a mimicked address bar if one were so incline (dirty rendition at http://ip.securescience.net/exploits/
(popup blockers off and it was designed for IE). Feature, or flaw?
Secure Science Corporation
Author of 'Phishing Exposed'
Find out how malware is affecting your company: Get a DIA account today!
- it's free!
Anyways, I thought it was an interesting read, with examples provided.
Any thoughts or opinions?
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 25th, 2005, 10:26 PM
So this isn't even a matter of dynamically changing the URL in the address bar, but loading a whole page within a frame, in order to change that address?
Well hrm... you still wouldn't be able to make the address that of any address that is already used. It seems to me the bankone page in this example is simply being loaded from another frame. So do what they will, they still wouldn't be able to get that address to read bankone.com if they want any control over what gets displayed. They would still need to own the address in the address bar. I don't see how terrible this is, but maybe I'm missing the point.
/me reads the second expliot page with IE...
Yes the second page could easily be used for phishing attacks, with the right chrome modifications and frame usage to make that address bar look more natural and have it appear in subsequent pages. My opinion? This is a feature, not a vulnerability. The vulnerability lies in the fact that people cannot recognize the difference, much like buying a Nixon mask and robbing a bank with it. Nobody assumes that costumes or disguises are always a vulnerability. They are still fun and humouros when used properly.
The solution, I think, would be to develop a browser or an addon (i.e. the Google toolbar) that can recognize these attacks in some way. Although I personally could not code such a module, I am sure it can be done. Perhaps something that would detect when URL's are entered into a text box when the address bar is not displayed would work, since I can see no other purpose that besides phishing attacks.
I mean, I can write a bank login page with a form submit that will redirect the password to an email account. Nobody is now suggesting that input forms are a vulnerability. It is up to the user, either through training, or the use of software capable of detecting and warning against these attacks, to differentiate between normal use and abuse.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
June 25th, 2005, 10:37 PM
and are they still features or are they now flaws because of how they're being used.
Realy the www is just a feature of the internet, would we call the www a flaw?
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
June 25th, 2005, 11:06 PM
I do believe that we will see a LOT of this in furture threads......
It would seem an 'obvious' way to go ..............
utilising 'features' to make THEM the new BAD .......
Anyone care to wager how long till EMail is classed as a criminal activety ?
55 - I'm fiftyfeckinfive and STILL no wiser,
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone