Larry Seltzer <larry_at_larryseltzer.com> wrote:
> this assumes the default placement of Address Bar if I'm not mistaken,
> so if the user changes their toolbar layout the popup will give itself away,
> correct?
Correct. In my example I deliberately window.open()ed the target with
fixed toolbar options, which helps a little; the attacks in the wild
aren't bothering to do that, so it's more likely the URL popup will
appear in the wrong place.
[You can't change an existing window's options of course, but it would
be possible to pop a new window then close the original. Theoretically
IE disallows window.close() on top-level windows but that's easily
avoided by assigning to window.opener.]
I expect the tactic could be improved slightly by reading the screen
position of the work area compared to the window outer area to guess the
number of toolbars in use, or something. (One could probably even spoof
the entire toolbar area and SSL padlock.) I couldn't be bothered myself,
but believed a dedicated phisherman might put the effort in. However, it
would seem that actually they're pretty lazy too.
--
Andrew Clover
mailto:and_at_doxdesk.com
http://www.doxdesk.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Jan 31 2005
Intro
