[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
From:       Andrew Clover <and-bugtraq () doxdesk ! com>
Date:       2005-01-31 3:12:40
Message-ID: 41FDA228.6060501 () doxdesk ! com
[Download RAW message or body]

Larry Seltzer <larry@larryseltzer.com> wrote:

> this assumes the default placement of Address Bar if I'm not mistaken,
> so if the user changes their toolbar layout the popup will give itself away,
> correct?

Correct. In my example I deliberately window.open()ed the target with 
fixed toolbar options, which helps a little; the attacks in the wild 
aren't bothering to do that, so it's more likely the URL popup will 
appear in the wrong place.

[You can't change an existing window's options of course, but it would 
be possible to pop a new window then close the original. Theoretically 
IE disallows window.close() on top-level windows but that's easily 
avoided by assigning to window.opener.]

I expect the tactic could be improved slightly by reading the screen 
position of the work area compared to the window outer area to guess the 
number of toolbars in use, or something. (One could probably even spoof 
the entire toolbar area and SSL padlock.) I couldn't be bothered myself, 
but believed a dedicated phisherman might put the effort in. However, it 
would seem that actually they're pretty lazy too.

-- 
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]