RE: IE Favorites Feature May Allow Phishing

Microsoft is looking into this.  FYI, Mike 

-----Original Message-----
From: [] On
Behalf Of McCormick, Mike
Sent: Friday, October 26, 2007 2:22 PM
Subject: FW: IE Favorites Feature May Allow Phishing

I'm cross posting this to WSC for obvious reasons.  Should we say something
in our Note about the danger of UAs offering bookmark APIs and/or allowing
non-URLs (e.g., keyword shortcuts) in the location bar?

-----Original Message-----
From: "Hoffman, Billy" <>
To: "" 
<>, "" 
Date: Fri, 19 Oct 2007 15:43:03 +0000
Subject: RE: [WEB SECURITY] Favorites Feature May Allow Phishing


-Works only in some security zones
-Prompts the user
-Address bar will end up saying

However the fact that the user typed the URL in (the advice of the banks)
makes this pretty cool. That this pops a dialog box kinda of sucks. On a
page load you might be able to confuse a user into clicking "Add."
Especially if you pop a lot of other dialogs using JavaScript and Flash.

Evil is the new black. :-) This is a good find.

Billy Hoffman
Lead Researcher, HP Security Labs
HP Software
Phone: 678-781-4845

-----Original Message-----
From: []
Sent: Thursday, October 18, 2007 12:42 PM
Subject: [WEB SECURITY] Favorites Feature May Allow Phishing


Nice find Yair.

- Robert Auger
CO-Founder The Web Application Security Consortium

Received on Monday, 29 October 2007 20:32:34 UTC