Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

.MAC Phishing .. Security through obscurity
From: rabbit food <r4bb1t_f00d () yahoo co uk>
Date: Wed, 24 Mar 2004 08:57:50 +0000 (GMT)

Thanks for your constructive academic response Peter, 

Useless 
Information 

Hm, that would depend on the attackers perspective, an
authenticated redirector may
protect apple from unsoliciated use of their
redirect (think about it).

Also if you take a moment to think about the way in
which this could be exploited with a little
bit of html..javascript, some fun could be had, if
you were maliciously inclined.

But of course, chains and week links are always
part of the fun. 


It may be possible to redirect a naive .Mac webmail 
user, to another site, possibly, one mocked up as 
webmail (a user may ignore the fact SSL is not 
present). 

http://webmail.mac.com/redirect/http://your url 
 
How is this different from <<ANY>> other redirect
attack. Why is this a ".MAC  
 Webmail phishing attack" ??? 

Hmmmm, think about that one Peter(didn't say there was
anything special about, the more reason why it should
be noticed).
 

Is there anything special about .mac webmail that
makes this kind of attack any  
 easier? This is not some intuitive leap here... 


Indeed a correct observation, maybe something apple
could respond to.


Now the IE obfuscated (look up the definition in
dictionary.com) redirection  
 bug, that was good. It could even be crafted to make
the little lock icon  
 appear. 


Indeed.
There are always sparter people and things out there.

I just don't want some ignorant reporter reading your
message and thinking "oh  
 my god, Apple's email service is full of holes!!!" 


Which reporters are you talking about? ignorance is
rife, just take a look back over the past 300 years of
the printed press....and isn't this full-disclosure.

Take a chill-pill dude.

r4bb1t



 





        
        
                
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • .MAC Phishing .. Security through obscurity rabbit food (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]