[OpenID] Security related Use Cases?
Allen Tom
atom at yahoo-inc.com
Wed Oct 22 18:32:49 UTC 2008
Hi Praveen,
The attacker would host a phishing Login form (controlled by the
phisher), but would also embed an iframe containing the Yahoo Login
screen with just the Sign-in Seal showing. If this was possible, the
user would see a Login form with the Yahoo Sign-in Seal. This is why we
have framebusting code on the Yahoo Login screen.
JS has to be enabled for framebusting to work, so we'll only display the
Sign-in Seal if JS is enabled. As far as I can tell, disabling JS inside
an iframe using the method posted by Breno cannot be used to embed the
Sign-in Seal onto a phishing page.
Thanks
Allen
Praveen Alavilli wrote:
> But why would a hacker open the real yahoo sign in page in an iframe
> (security enabled or not) - there is nothing to gain from it (whether
> it shows the signin seal or not). Instead they are better of showing
> their own phishing page to steal the credentials.
>
> - Praveen
>
> Breno de Medeiros wrote:
>> On Tue, Oct 21, 2008 at 6:03 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>>
>>> Hi Breno,
>>>
>>> Do you have a demo of this?
>>>
>>
>> I could put one together, the directions are here:
>>
>> http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx
>>
>>
>>> Thanks
>>> Allen
>>>
>>>
>>> Breno de Medeiros wrote:
>>>
>>>> IE allows you to create an iframe and disable JS inside the iframe.
>>>> 70-85% of users will be vulnerable to this attack.
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>>
>
More information about the general
mailing list