Forgot your password?
typodupeerror

Comment: To clarify (Score 4, Interesting) 151

by hennikl (#41228959) Attached to: Firefox, Opera Allow Phishing By Data URI Claims New Paper
As the author of the cited paper, I feel that I have to clarify a few issues here: As well as Opera and Firefox, GOOGLE CHROME ALSO "suffers" from the ability to host data URIs. It just distrusts being redirected to one. IE (it is said) has a size limit to data URIs of 32 KB. However, in my tests, a ~26 KB URI was tried, unsuccessfully. The data URI phishing pages can be made in many ways, differing in how they use other data. One can make a true offline (or local) version of a web page if all linked content on the page is contained in the "root page" through yet another data URI. If the data URI web pages are presented on a computer running a related trojan program, this program may handle the communication of the "secret information" (credit card #, passwords, etc.). This can be done P2P (as in botnets) thus no need for server infrastructure. Another issue I'm discussing in my paper (http://klevjers.com/papers/phishing.pdf) is that of ownership to the data URI contents. I feel TinyURL unwittingly takes ownership of whatever content that is hosted there, as they store the entire (phishing) web page on their servers.
Security

+ - Phishing is possible using Data URI->

Submitted by
hennikl
hennikl writes "Historically, phishing web pages have been hosted by web servers that are either compromised or owned by the attacker. This paper introduces a new
approach to creating working phishing web pages without the direct need of a host. The contents of the phishing web page is simply contained its own
URI (link). We present the appropriate steps to do this, and show a working example of such a phishing page."

Link to Original Source

"The geeks shall inherit the earth." -- Karl Lehenbauer

Working...