« Can You Believe Me Now? | Main | Broken Token »

Can You See Me Now?

Using a cross site scripting exploit, this site here was able to display text of their choice on sites such as the MasterCard, Barclays, and others. By using these sites, rather than their own, they can present to you, even under SSL conditions, whatever they want to and you would not know the site was under the control of someone else.

Needless to say, this opens a new avenue for phishing attacks that could occur even if you go directly to, for example, your banking site. Or Amazon. Or eBay. Or PayPal. You don't need to respond to emails. You don't need to click on links. All you have to do is visit your bank, etc. The attackers could conceivably create such a realistic presentation on your own site that you would not know you have been taken over.

Unfortunately, the site does not indicate how to prevent such attacks (Another site says to check all user provided input in forms. However, they give no examples for what to look for.).

About

This page contains a single entry from the blog posted on July 21, 2004 9:18 AM.

The previous post in this blog was Can You Believe Me Now?.

The next post in this blog is Broken Token.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.34