Re: seamless bait-and-switch Dec 08 2011 10:09PM
Michal Zalewski (lcamtuf coredump cx) (2 replies)
Re: seamless bait-and-switch Dec 09 2011 06:18PM
Jann Horn (jannhorn googlemail com)
2011/12/8 Michal Zalewski <lcamtuf (at) coredump (dot) cx [email concealed]>:
> What part? The change of a URL that is not associated with the
> repainting of window contents? I believe that they are very unlikely
> to catch this after initially examining the URL, in absence of other
> indicators (change in URL length, page repainting, throbber activity).

And even if so - someone who's typing in his password will not
notice/react to a page reload for at least a few keystrokes. A
javascript could send those to the server immediately, and if it's a
semanic password, you might be able to guess the rest.

[ reply ]
Re: seamless bait-and-switch Dec 09 2011 03:37PM
Charles Morris (cmorris cs odu edu)


Privacy Statement
Copyright 2010, SecurityFocus