December 9, 2003

Internet Explorer spoof

There has been an exploit posted with problems in Internet explorer where it looks like you are at one site (by looking at the address URL) but in actual fact you are somewhere else. Steve has an example exploit, which shows how easy it is do it, for example, click to see how I've done it for this page.
Absoblogginlutely.net to see how I've done it for this page.
This seems a pretty drastic flaw as that is often the only way you can check you really are where you think you are - Microsoft will probably have a patch out soon (I hope). For more details check out Security Focus or Secunia or the person who discovered it, Zap The Dingbat

Posted by Andy at December 9, 2003 9:24 PM
Comments

That's pretty funny. I clicked on the button from MozillaFirebird, and it still took me to microsoft.com, but the full malformed URL showed up in the address bar. 'http://www.absoblogginlutely.net%01@www.microsoft.com/'

I can see how that could be bad for IE users. Possibly thinking they're at paypal and put in their id/password and boom, now someone else has it.

Yet another reason to avoid IE like the plague.

Posted by: Chad at December 9, 2003 11:50 PM

Indeed. It actually says in the status bar that it's talking to 'www.absoblogginlutely.net@microsoft.com' - you could easily have this as 'www.paypal.com@143.53.123.31/whatever' and many people would be none-the-wiser.

Posted by: Neil T. at December 10, 2003 9:09 AM