W3C home > Mailing lists > Public > public-wsc-wg@w3.org > October 2009

Text in the bookmarking api section

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Wed, 14 Oct 2009 10:26:13 -0500
Message-ID: <4AD5ED95.7010808@redhat.com>
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
was influenced a little bit by this email.

attached mail follows:


I'm cross posting this to WSC for obvious reasons.  Should we say something
in our Note about the danger of UAs offering bookmark APIs and/or allowing
non-URLs (e.g., keyword shortcuts) in the location bar?

-----Original Message-----
From: "Hoffman, Billy" <billy.hoffman@hp.com>
To: "robert@webappsec.org" 
<robert@webappsec.org>, "websecurity@webappsec.org" 
<websecurity@webappsec.org>
Date: Fri, 19 Oct 2007 15:43:03 +0000
Subject: RE: [WEB SECURITY] Favorites Feature May Allow Phishing

<html>
<body
onload="window.external.AddFavorite('http://www.phisher.com','www.bank.com')
">
Hi
</body>
</html>

Caveats:
-IE-only
-Works only in some security zones
-Prompts the user
-Address bar will end up saying http://www.phisher.com

However the fact that the user typed the URL in (the advice of the banks)
makes this pretty cool. That this pops a dialog box kinda of sucks. On a
page load you might be able to confuse a user into clicking "Add."
Especially if you pop a lot of other dialogs using JavaScript and Flash.

Evil is the new black. :-) This is a good find.

Billy Hoffman
--
Lead Researcher, HP Security Labs
HP Software
Phone: 678-781-4845

-----Original Message-----
From: robert@webappsec.org [mailto:robert@webappsec.org]
Sent: Thursday, October 18, 2007 12:42 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Favorites Feature May Allow Phishing


URL: http://blog.watchfire.com/wfblog/2007/10/favorites-gone-.html

Nice find Yair.

Regards,
- Robert Auger
http://www.webappsec.org/
CO-Founder The Web Application Security Consortium





Received on Wednesday, 14 October 2009 15:26:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 October 2009 15:26:49 GMT