lcamtuf's blog: The old switcharoo

December 08, 2011

The old switcharoo

Another tiny proof-of-concept for the day:

http://lcamtuf.coredump.cx/switch/

While the idea is fairly trivial, it seems pretty frightening to me - and neatly illustrates one of the points I'm making in The Tangled Web. I highly doubt that even the most proficient and attentive users would be able to spot this happening in the wild.

(If you don't get it, try again, and follow instructions on the screen.)

Interesting results can be also achieved in some browsers with history.back(), but I'll leave this as an exercise for readers. The same goes for the implications it has for clickjacking, drag-and-drop, and other attacks normally associated with frames.

PS. Another silly proof-of-concept as a bonus: click here.

1 comment:

derobertDecember 09, 2011 8:21 AM
It first shows http://banking.beaver-peak.us/banking_interface/ and then shows 'data:text/html;-peak.us/banking_interface/' ... So its very obvious it has happened, if you're looking at the URL bar. I also get a loading indicator on the tab.

But of course, if you were actually looking at the site (as opposed to url and tab bar), you'd not notice, that is indeed scary.

The second one doesn't work at all, the fraction slash doesn't look like solidus, its angled significantly differently. But in other fonts...

This is in Iceweasel 8. I have the preference to show full URL turned on in about:config.
ReplyDelete

Add comment