, 2004-11-01
Recent "phishing" episodes, and two new browser vulnerabilities, show how the bad guys are tricking people into exposing their passwords and bank accounts. Couldn't happen to tech-savvy users, right? Unless you consider how entire nations have been fooled.
Expand all |
Post comment
Many people do not look at the monitor while typing, just like many people do not open emails that come from unknown sources.
The big problem here is that the browser is doing nothing to "protect" those peope that will actually type out their information without giving a look at the monitor.
Also, a scammed user might not need to hit submit before his/her information is compromised. The bad form could have a 30 sec timer to reload, send whatever information has been typed so far via a form.submit(), the receiving CGI can update the aquired information everytime it receives a submit from the same form (using a session id or a cookie).
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/274/28954#28954