Re: IE bookmark 'clever' feature not so clever after all

From: Xyntrix (xyntrixat_private)
Date: Wed Aug 15 2001 - 16:13:34 PDT

  • Next message: Petruzel, Oliver: "RE: IE bookmark 'clever' feature not so clever after all"

    it's fairly feasible concept.
    
    1) attacker places javascript on a public website to add a bookmark for
    www.onlinebankx.com (and possibly other commonly visited sites where a
    username and a password might be needed) which is actually www.attackersite.com.
    2) attacker sets up a mirror of www.onlinebankx.com on
    www.atackersite.com.
    3) attacker then sets up some method to draw people to visit public
    website (free porn, for example).
    3) victim visits public website, gets several bookmarks added.
    4) if the attacker is lucky, the victim eventually goes to visit one of those
    bookmarks which pulls up the fake site.
    5) victim enters their username and password for www.onlinebankx.com at
    which time the attacker records such information as entered.
    6) an error page is then displayed and victim is then forwarded on to the
    real site, unaware that their username and password have been obtained
    by the attacker.
    
    combine step 1 with placing malicious javascript on vulnerable ida iis
    sites, and a worm to deliver such a package, and the number of
    possibilities for this scenerio to work gets higher.  the only two
    dependent variables are: wether joeuser running ie visits a bookmark
    effecting site and wether joeuser will go to a possibly redirected
    website.
    
    opera and netscape both do not direct themselvs to a bookmark-title location.
    also, netscape and opera do not support the remotee-bookmark
    placing 'feature'.
    
    
    On Wed, Aug 15, 2001 at 03:05 PM, Kevin Gagel <Gagelat_private> said:
    > Personally I like the idea that I can name my bookmarks whatever I want.
    > This allows me to save web sites that are poorly named with something I
    > prefer.
    > 
    > Exploiting this would be a "social engineering" exploit, not a bug.
    > I guess the more integrated we get the harder it will be to prevent this
    > kind of social exploit.
    > 
    > Nothing short of a labotamy for exploiters can really help with a social
    > exploit. Especially since
    > most users tend to not bother understanding.
    > 
    > Therefor I recomend a real fix for the problem - Turn off the
    > computer...
    > 
    > > yup  totaly right
    > > rename bookmark to a website like hotmail and it follows the bookmark
    > > instead of the real page meanted
    > 
    > -- 
    > =============================
    > Kevin W. Gagel
    > Network Administrator
    > College of New Caledonia
    > gagelat_private
    > (250)561-5848 loc. 448
    > =============================
    -----
    ________________________________
    Mike Mclane | xyntrixat_private |
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    



    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 21:59:37 PDT