Re: IE bookmark 'clever' feature not so clever after all

From: Xyntrix (xyntrixat_private)
Date: Wed Aug 15 2001 - 16:13:34 PDT

Next message: Petruzel, Oliver: "RE: IE bookmark 'clever' feature not so clever after all"

Previous message: Kevin Gagel: "Re: IE bookmark 'clever' feature not so clever after all"
In reply to: Kevin Gagel: "Re: IE bookmark 'clever' feature not so clever after all"
Next in thread: Petruzel, Oliver: "RE: IE bookmark 'clever' feature not so clever after all"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

it's fairly feasible concept.

1) attacker places javascript on a public website to add a bookmark for
www.onlinebankx.com (and possibly other commonly visited sites where a
username and a password might be needed) which is actually www.attackersite.com.
2) attacker sets up a mirror of www.onlinebankx.com on
www.atackersite.com.
3) attacker then sets up some method to draw people to visit public
website (free porn, for example).
3) victim visits public website, gets several bookmarks added.
4) if the attacker is lucky, the victim eventually goes to visit one of those
bookmarks which pulls up the fake site.
5) victim enters their username and password for www.onlinebankx.com at
which time the attacker records such information as entered.
6) an error page is then displayed and victim is then forwarded on to the
real site, unaware that their username and password have been obtained
by the attacker.

combine step 1 with placing malicious javascript on vulnerable ida iis
sites, and a worm to deliver such a package, and the number of
possibilities for this scenerio to work gets higher.  the only two
dependent variables are: wether joeuser running ie visits a bookmark
effecting site and wether joeuser will go to a possibly redirected
website.

opera and netscape both do not direct themselvs to a bookmark-title location.
also, netscape and opera do not support the remotee-bookmark
placing 'feature'.


On Wed, Aug 15, 2001 at 03:05 PM, Kevin Gagel <Gagelat_private> said:
> Personally I like the idea that I can name my bookmarks whatever I want.
> This allows me to save web sites that are poorly named with something I
> prefer.
> 
> Exploiting this would be a "social engineering" exploit, not a bug.
> I guess the more integrated we get the harder it will be to prevent this
> kind of social exploit.
> 
> Nothing short of a labotamy for exploiters can really help with a social
> exploit. Especially since
> most users tend to not bother understanding.
> 
> Therefor I recomend a real fix for the problem - Turn off the
> computer...
> 
> > yup  totaly right
> > rename bookmark to a website like hotmail and it follows the bookmark
> > instead of the real page meanted
> 
> -- 
> =============================
> Kevin W. Gagel
> Network Administrator
> College of New Caledonia
> gagelat_private
> (250)561-5848 loc. 448
> =============================
-----
________________________________
Mike Mclane | xyntrixat_private |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next message: Petruzel, Oliver: "RE: IE bookmark 'clever' feature not so clever after all"
Previous message: Kevin Gagel: "Re: IE bookmark 'clever' feature not so clever after all"
In reply to: Kevin Gagel: "Re: IE bookmark 'clever' feature not so clever after all"
Next in thread: Petruzel, Oliver: "RE: IE bookmark 'clever' feature not so clever after all"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 21:59:37 PDT