I saw this earlier this week. Crazy stuff. The good news is unless it is a targeted attack that knows the sites you access, it relies on chance. The attacker will open a tab in your browser with a fake site login, and hope that you go to that tab, see a familiar login, and enter your credentials. Still something to be wary of of course...
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
Posted: Fri May 28, 2010 4:34 am Post subject:
The good news is unless it is a targeted attack that knows the sites you access, it relies on chance. The attacker will open a tab in your browser with a fake site login, and hope that you go to that tab, see a familiar login, and enter your credentials.
The problem is there are ways the attacker can find out whether or not you are logged in on any of a given number of sites:
Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.
Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective.
Oh wow, true. I guess combining this with MITM or MITB efforts could also result in more success...just depends on the sophistication of the attacker. I think though that a majority will just go for the easy ones (facebook, email accts, major creditors, etc)...actually any active monitoring and real time exploit could be bad...eesh...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum