The truth is that some things will never get picked up by the community unless you really start bragging about them. Repetition is a key element.
Obviously not an extremely devastating vulnerability but the issue, which I have reported here and also logged in Mozilla’s bugzilla 3 months ago, is still present and works quite well. This is yet another design bug which abuses the way browsers work rather then exploit a vulnerability within the software.
The issues is quite simple. We take advantage of the way browser windows/tabs are opened and we exploit them for our own good. A typical attack scenario will go like this:
- The user visits a website which he wants to digg.
- He clicks on the digg button which takes him to digg.com.
- He puts his password, the browser starts to preload content but, he ends up with another screen asking for his password again! Presumably, he mistyped his password!
- He enters his password again and continues surfing as normally.
What you don’t see is that the page that originally took him to digg.com was waiting for him to authenticate with digg.com and silently switched the page with another similarly looking login page. The second time the users types his credentials, he actually granted the attacker access to his account. What follows next is a simple redirection from the malicious webpage back to the original digg.com. Game over!
Although simple, this attack vector is quite interesting and potentially very devastating imho. The reason for this is because is extremely effective. Although it cannot hack your PC, it is sufficient enough to steal your data, which essentially is the ultimate goal of every hacking incident. There are numerous variations of this attack.
Oper8or responds:
mellow responds:
Aodhhan responds:
What is the difference with this weakness and attack and the one described by Moxie Marlinspike during the last BH Washington ? Effects and step by step operations seems to be very close between those to hacks
Tnks