Full Disclosure mailing list archives
Re: Firefox focus stealing vulnerability (possibly other browsers)
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Sun, 11 Feb 2007 21:19:41 +0000
here is an idea... we can combine both techniques into a single attack... the hardest part of your hack is to force the user to type :// plus several other / but if we steel the focus from the address bar, unaware users will type something like this http://www.google.com for example, which is what we want. On 2/11/07, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
try this <input id="foo" type="text"/> <script> setInterval(function () { document.getElementById('foo').focus(); },1); </script> :) the address bar is disabled... On 2/11/07, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:phh :), I found something very interesting when testing your IE example... every time I try to type something in the address bar, the focus is redirected back to the input box. I wonder if it is possible to capture what the user is typing in the address bar. That would be neat... I am just checking your code to see what the hell is going on. On 2/11/07, Michal Zalewski <lcamtuf () dione ids pl> wrote:On Sun, 11 Feb 2007, pdp (architect) wrote:IE is vulnerable too, since I used to play around with this bug long time ago.Possibly MS00-093, but that's long fixed. But yes, MSIE variant is possible, though more contrived. /mz-- pdp (architect) | petko d. petkov http://www.gnucitizen.org-- pdp (architect) | petko d. petkov http://www.gnucitizen.org
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Ben Bucksch (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Paul Szabo (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Message not available
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 12)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)