Bugtraq mailing list archives
Re: seamless bait-and-switch
From: Jann Horn <jannhorn () googlemail com>
Date: Fri, 9 Dec 2011 19:18:00 +0100
2011/12/8 Michal Zalewski <lcamtuf () coredump cx>:
What part? The change of a URL that is not associated with the repainting of window contents? I believe that they are very unlikely to catch this after initially examining the URL, in absence of other indicators (change in URL length, page repainting, throbber activity).
And even if so - someone who's typing in his password will not notice/react to a page reload for at least a few keystrokes. A javascript could send those to the server immediately, and if it's a semanic password, you might be able to guess the rest.
Current thread:
- seamless bait-and-switch Michal Zalewski (Dec 08)
- Message not available
- Message not available
- Re: seamless bait-and-switch Michal Zalewski (Dec 08)
- Message not available
- Re: seamless bait-and-switch Michal Zalewski (Dec 09)
- Re: seamless bait-and-switch Jann Horn (Dec 09)
- Re: seamless bait-and-switch Charles Morris (Dec 12)
- Message not available
- Message not available