Phishing - feature or flaw Jun 24 2005 10:38PM
Secure Science Corporation Bugtraq (bugtraq securescience net)

Regarding certain vulnerabilities that are being discovered such as

Are these really features, or are they flaws now because of the phishing
threat vector. Originally javascript/DHTML/DOM is pretty powerful and
can do a lot of nasty stuff if someone were inclined. But phishing has
caused us to take a look at the once dubbed features of DHTML, and
possibly put responsibility onto the browser vendors for fixing these
now dubbed "flaws".

For example, is this a flaw -
https://slam.securescience.com/threats/mixed.html (some mozilla browsers
don't like Thawte yet so you will get a warning). This is a standard
frame with the URL domain as https://slam.securescience.com, but the
body is https://www.bankone.com - take a look at the lock icon - it will
only verify the url domain - is that a browser issue, a CA issue, or a

As we all have seen, one can use DHTML to create a popup and replace a
mimicked address bar if one were so incline (dirty rendition at
http://ip.securescience.net/exploits/ (popup blockers off and it was
designed for IE). Feature, or flaw?

Best Regards,
Lance James
Secure Science Corporation
Author of 'Phishing Exposed'
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus