IE bookmark 'clever' feature not so clever after all

From: perkere stinker (doe_i_sorte_skodderat_private)
Date: Wed Aug 15 2001 - 02:50:24 PDT

  • Next message: Inno Eroraha: "[Site available] :: RE: Wireless Lans give EVERYONE ACCESS"

    short: type the name of one of your bookmarks(favorites) in the addressfield 
    in IE, and IE will execute the bookmark.
    
    bit longer: its trivial to trick a user into accepting a bookmark for a 
    popular site, uh, lets say www.hotmail.com .. or placing it yourself.
    
    effect: users wont be able to access www.hotmail.com by typing the url in 
    the address bar, they'll get redirected to whatever the bookmark points to.
    
    impact: this could easily be used for putting up 'fake pages' on public
    accessible computers, like at libraries, schools etc. where pages like
    hotmail/google/msn are often accessed. That could give you a lot of nice 
    usernames/passwords. And a lot of crap.
    
    perhaps someone could try naming a bookmark http://www.hotmail.com and see 
    what happens? seems i misplaced my funny filename generator..
    
    this is stupid
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
    



    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 10:51:52 PDT