| To: | bugtraq@securityfocus.com |
|---|---|
| Subject: | Bypass phishing protection in Firefox / Opera |
| From: | zonafirefox@gmail.com |
| Date: | 28 Mar 2007 04:53:04 -0000 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | bugtraq-list@securepoint.com |
| Delivered-to: | mailing list bugtraq@securityfocus.com |
| Delivered-to: | moderator for bugtraq@securityfocus.com |
| List-help: | <mailto:bugtraq-help@securityfocus.com> |
| List-id: | <bugtraq.list-id.securityfocus.com> |
| List-post: | <mailto:bugtraq@securityfocus.com> |
| List-subscribe: | <mailto:bugtraq-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:bugtraq-unsubscribe@securityfocus.com> |
| Mailing-list: | contact bugtraq-help@securityfocus.com; run by ezmlm |
Hi, i've tested a simple way to bypass the phishing protection in Firefox 2.0.0.3 and Opera 9.10. Aparently both browsers fails to detect a phishing site if it is embeded in an IFRAME / OBJECT label. I've released some demostrations to test the above: http://zonafirefox.googlepages.com/prueba.html (using Javascript to create an iframe object) http://zonafirefox.googlepages.com/prueba2.html (without Javascript) Also, the following code can be used to bypass the phishing protection: "<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>" The tests were realized using several many sites from Phishtank database. IE7 has no problems. Any feedback and/or confirmation of the above will be very appreciated. rgds, nsp |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [USN-445-1] XMMS vulnerabilities, Kees Cook |
|---|---|
| Next by Date: | [USN-446-1] NAS vulnerabilities, Kees Cook |
| Previous by Thread: | [USN-445-1] XMMS vulnerabilities, Kees Cook |
| Next by Thread: | Re: Bypass phishing protection in Firefox / Opera, Anonymous |
| Indexes: | [Date] [Thread] [Top] [All Lists] |