Results 1 to 4 of 4

Thread: Phishing -- Feature or Flaw

  1. #1
    Senior Member
    Join Date
    Jan 2003

    Phishing -- Feature or Flaw

    Hey Hey,

    This came in about a half hour ago from Bugtraq so I thought I'd post it here for those of you that aren't subscribed to the mailing list..


    Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers...erability_test

    Are these really features, or are they flaws now because of the phishing threat vector. Originally javascript/DHTML/DOM is pretty powerful and can do a lot of nasty stuff if someone were inclined. But phishing has caused us to take a look at the once dubbed features of DHTML, and possibly put responsibility onto the browser vendors for fixing these now dubbed "flaws".

    For example, is this a flaw -
    https://slam.securescience.com/threats/mixed.html (some mozilla browsers don't like Thawte yet so you will get a warning). This is a standard frame with the URL domain as https://slam.securescience.com, but the body is https://www.bankone.com - take a look at the lock icon - it will only verify the url domain - is that a browser issue, a CA issue, or a feature?

    As we all have seen, one can use DHTML to create a popup and replace a mimicked address bar if one were so incline (dirty rendition at http://ip.securescience.net/exploits/ (popup blockers off and it was designed for IE). Feature, or flaw?

    Best Regards,
    Lance James
    Secure Science Corporation
    Author of 'Phishing Exposed'
    Find out how malware is affecting your company: Get a DIA account today!
    https://slam.securescience.com/signup.cgi - it's free!
    It has some good points in it... These "flaws" that are being reported were originally intended as features... So is it really the browser manufactures responsibility to fix these... and are they still features or are they now flaws because of how they're being used.

    Anyways, I thought it was an interesting read, with examples provided.

    Any thoughts or opinions?

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    Oct 2002
    So this isn't even a matter of dynamically changing the URL in the address bar, but loading a whole page within a frame, in order to change that address?

    Well hrm... you still wouldn't be able to make the address that of any address that is already used. It seems to me the bankone page in this example is simply being loaded from another frame. So do what they will, they still wouldn't be able to get that address to read bankone.com if they want any control over what gets displayed. They would still need to own the address in the address bar. I don't see how terrible this is, but maybe I'm missing the point.

    /me reads the second expliot page with IE...

    Yes the second page could easily be used for phishing attacks, with the right chrome modifications and frame usage to make that address bar look more natural and have it appear in subsequent pages. My opinion? This is a feature, not a vulnerability. The vulnerability lies in the fact that people cannot recognize the difference, much like buying a Nixon mask and robbing a bank with it. Nobody assumes that costumes or disguises are always a vulnerability. They are still fun and humouros when used properly.

    The solution, I think, would be to develop a browser or an addon (i.e. the Google toolbar) that can recognize these attacks in some way. Although I personally could not code such a module, I am sure it can be done. Perhaps something that would detect when URL's are entered into a text box when the address bar is not displayed would work, since I can see no other purpose that besides phishing attacks.

    I mean, I can write a bank login page with a form submit that will redirect the password to an email account. Nobody is now suggesting that input forms are a vulnerability. It is up to the user, either through training, or the use of software capable of detecting and warning against these attacks, to differentiate between normal use and abuse.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    and are they still features or are they now flaws because of how they're being used.
    I think that most active content on the web can be exploited for malicious intent. Java/JavaScript/active x/flash, all have been affected. In reality the whole www has evolved far beyond the expectations of its creators. As it has evolved emergants has affected nearly every aspect of it.

    Realy the www is just a feature of the internet, would we call the www a flaw?
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    I do believe that we will see a LOT of this in furture threads......

    It would seem an 'obvious' way to go ..............
    utilising 'features' to make THEM the new BAD .......

    Anyone care to wager how long till EMail is classed as a criminal activety ?
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts