[OpenID] Security related Use Cases?
Andrew Arnott
andrewarnott at gmail.com
Wed Oct 22 15:46:38 UTC 2008
A real hacker wouldn't. But the fact that legitimate sites *can* do it means
that some will likely do it. If legitimate sites embed the Yahoo sign-in
page in an iframe, thus hiding the yahoo.com from the location bar, users
will become desensitized from not seeing yahoo.com when they enter their
credentials. This will make the phishers job that much easier.
On Wed, Oct 22, 2008 at 8:33 AM, Praveen Alavilli
<AlavilliPraveen at aol.com>wrote:
> But why would a hacker open the real yahoo sign in page in an iframe
> (security enabled or not) - there is nothing to gain from it (whether it
> shows the signin seal or not). Instead they are better of showing their
> own phishing page to steal the credentials.
>
> - Praveen
>
> Breno de Medeiros wrote:
> > On Tue, Oct 21, 2008 at 6:03 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> >
> >> Hi Breno,
> >>
> >> Do you have a demo of this?
> >>
> >
> > I could put one together, the directions are here:
> >
> > http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx<http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx>
> >
> >
> >> Thanks
> >> Allen
> >>
> >>
> >> Breno de Medeiros wrote:
> >>
> >>> IE allows you to create an iframe and disable JS inside the iframe.
> >>> 70-85% of users will be vulnerable to this attack.
> >>>
> >>>
> >>>
> >>
> >
> >
> >
> >
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/4c813e61/attachment-0002.htm>
More information about the general
mailing list