- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Fri, 26 Oct 2007 15:27:47 -0400
- To: <michael.mccormick@wellsfargo.com>, <public-wsc-wg@w3.org>
Good find -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of michael.mccormick@wellsfargo.com Sent: Friday, October 26, 2007 3:22 PM To: public-wsc-wg@w3.org Subject: FW: IE Favorites Feature May Allow Phishing I'm cross posting this to WSC for obvious reasons. Should we say something in our Note about the danger of UAs offering bookmark APIs and/or allowing non-URLs (e.g., keyword shortcuts) in the location bar? -----Original Message----- From: "Hoffman, Billy" <billy.hoffman@hp.com> To: "robert@webappsec.org" <robert@webappsec.org>, "websecurity@webappsec.org" <websecurity@webappsec.org> Date: Fri, 19 Oct 2007 15:43:03 +0000 Subject: RE: [WEB SECURITY] Favorites Feature May Allow Phishing <html> <body onload="window.external.AddFavorite('http://www.phisher.com','www.bank.com') "> Hi </body> </html> Caveats: -IE-only -Works only in some security zones -Prompts the user -Address bar will end up saying http://www.phisher.com However the fact that the user typed the URL in (the advice of the banks) makes this pretty cool. That this pops a dialog box kinda of sucks. On a page load you might be able to confuse a user into clicking "Add." Especially if you pop a lot of other dialogs using JavaScript and Flash. Evil is the new black. :-) This is a good find. Billy Hoffman -- Lead Researcher, HP Security Labs HP Software Phone: 678-781-4845 -----Original Message----- From: robert@webappsec.org [mailto:robert@webappsec.org] Sent: Thursday, October 18, 2007 12:42 PM To: websecurity@webappsec.org Subject: [WEB SECURITY] Favorites Feature May Allow Phishing URL: http://blog.watchfire.com/wfblog/2007/10/favorites-gone-.html Nice find Yair. Regards, - Robert Auger http://www.webappsec.org/ CO-Founder The Web Application Security Consortium
Received on Friday, 26 October 2007 19:28:07 UTC