Full Disclosure mailing list archives
RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).
From: "Scott Melnick" <smelnick () water com>
Date: Thu, 20 Oct 2005 15:30:48 -0400
Nick FitzGerald Wrote:
IFF that is the case, then it is an extraordinarily brain-dead design, as it breaks the very critical "rule" that you should NOT surprise the user. A URL link that is shown in the interface to go one place, but which goes somewhere else is fundamentally broken under that rule.
If this is by design, then it's another case of a feature that breaks Billy's admonition that security is to trump features, so should be fixed.
Regards, Nick FitzGerald
It has been that way for a long time. Sometime the underlined link is in the form of Click Here to be redirected. Phishing schemes have been using this in emails for a good long time as well. Especially the ebay account ones that I'm sure everyone has seen about account information. Scott Melnick Security Guy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Scott Melnick (Oct 20)
- RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Nick FitzGerald (Oct 21)