A real hacker wouldn't. But the fact that legitimate sites <i>can</i> do it means that some will likely do it. If legitimate sites embed the Yahoo sign-in page in an iframe, thus hiding the <a href="http://yahoo.com">yahoo.com</a> from the location bar, users will become desensitized from not seeing <a href="http://yahoo.com">yahoo.com</a> when they enter their credentials. This will make the phishers job that much easier.<br>
<br><div class="gmail_quote">On Wed, Oct 22, 2008 at 8:33 AM, Praveen Alavilli <span dir="ltr"><<a href="mailto:AlavilliPraveen@aol.com">AlavilliPraveen@aol.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
But why would a hacker open the real yahoo sign in page in an iframe<br>
(security enabled or not) - there is nothing to gain from it (whether it<br>
shows the signin seal or not). Instead they are better of showing their<br>
own phishing page to steal the credentials.<br>
<font color="#888888"><br>
- Praveen<br>
</font><div class="Ih2E3d"><br>
Breno de Medeiros wrote:<br>
> On Tue, Oct 21, 2008 at 6:03 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
><br>
>> Hi Breno,<br>
>><br>
>> Do you have a demo of this?<br>
>><br>
><br>
> I could put one together, the directions are here:<br>
><br>
> <a href="http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx" target="_blank">http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx</a><br>
><br>
><br>
>> Thanks<br>
>> Allen<br>
>><br>
>><br>
>> Breno de Medeiros wrote:<br>
>><br>
>>> IE allows you to create an iframe and disable JS inside the iframe.<br>
>>> 70-85% of users will be vulnerable to this attack.<br>
>>><br>
>>><br>
>>><br>
>><br>
><br>
><br>
><br>
><br>
<br>
</div><div><div></div><div class="Wj3C7c">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>