- From: Tab Atkins <tabatkins@google.com>
- Date: Thu, 30 Jun 2011 15:38:44 -0700
- To: Brad Kemper <brad.kemper@gmail.com>
- Cc: Glenn Adams <glenn@skynav.com>, John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
On Thu, Jun 30, 2011 at 3:35 PM, Brad Kemper <brad.kemper@gmail.com> wrote: > If there is a corporate font or specialized dingbat font that is only loaded > and used when a person has signed into a secure site (for online banking, > let's say), then an attacker whose site is open in another window or tab can > find out about it using the method Tab described earlier. That is > information leakage that would allow the attacker to know when to attack. He > could, for instance, pop open a small window that says, "you are about to be > automatically signed out. Click OK to stay signed in." And then the OK > button would lead to a phishing site that looked just like the online > banking site, and a lot of users wouldn't realize it. That is a security > risk that has nothing to do with EULAs. In other words, betting that a particular filetype will never be used in malicious attacks is a good way to lose money. ^_^ ~TJ
Received on Thursday, 30 June 2011 22:39:10 UTC