WebApp Sec mailing list archives
Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Thu, 21 Oct 2004 08:20:04 -0700
and most visible and sensitive web sites still ask users to enter passwords into unprotected web forms - making it trivial for attackers to emulate these pages and steal passwords. These include PayPal, chase, Microsoft's passport, Yahoo!, eBay, TD Waterhouse,... (I've checked most of them about a month ago and this was still the case; I've checked PayPal today...)
Your tool may be nice, but Paypal does redirect to an SSL site if you type in paypal.com or www.paypal.com and if you click the "log in" link. Of course, this helps, but since most web users are not savvy and don't use your tool, such a "fix" rarely helps. After all, someone who is naive enough to follow such paypal links probably doesn't know anything about keeping themselves safe online, which is why they are targeted. David
Current thread:
- TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 21)
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... David Wall @ Yozons, Inc. (Oct 22)