Full Disclosure mailing list archives
RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 21 Oct 2005 20:15:30 +1300
Scott Melnick to me:
It has been that way for a long time. Sometime the underlined link is in the form of Click Here to be redirected. Phishing schemes have been using this in emails for a good long time as well. Especially the ebay account ones that I'm sure everyone has seen about account information.
"because "it works" does NOT mean that is how it is supposed to be... And, even if "this is how it is supposed to be" by some or rather interpretation of some standard does not mean that we cannot question the desirability (or even the sanity) of that "standard" and/or of sticking to implementing it! Even if this behaviour is "correct" (which seems entirely open to debate if you read the mess of responses), I will continue to argue that _this particular form_ of duping the user is so undesirable as to be a total misfeature AND SHOULD BE REMOVED on the grounds the standard is clearly totally bozoid in this case. ... Oh, and I can't be sure, but I suspect that the phishing schemes you are referring to are actually those I see quite a lot using the "fool the status bar display of the destination URL with a broken MAP tag improperly embedded in an HREF" trick (which only works in IE, and maybe some versions of Opera). If so, you are wrong again and the "problem" is not the HTML spec, or Javascript, or anything but total lack of concern for standards compliance in Redmond... (And yes, there are other tags apart from MAP that can be used in that trick, but they are very rarely used by the phishers...) Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Scott Melnick (Oct 20)
- RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen). Nick FitzGerald (Oct 21)