IE Flaw Allows Spoofed URLs
A newly publicized bug in Internet Explorer shows that it is possible to craft html which causes Internet Explorer to display an incorrect URL in its address and status bars, making it easier for Internet fraudsters to trick web users into divulging critically important information such as their bank account details, while apparently interacting with a completely authentic URL.
The technique, which can be exploited by anyone with a rudimentary knowledge of HTML tags, is being demonstrated on several web sites. URLs with an '@' such as
http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495& usersoption=SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.html[the text to the left of the @ in a url is taken to be a user account on the sitename which follows] are commonly used by fraudsters launching electronic mail fraud attacks on customers of banks and credit card companies.
In the example Explorer serves a page from the local server, while displaying the url as www.microsoft.com.
Microsoft's immediate response is to recommend that people only enter sensitive information on SSL sites, after checking the certificate details.
Mozilla [both Windows and Linux versions] displays the url correctly.
Digg
Slashdot
Reddit
StumbleUpon
Delicious
Technorati
Posted by Rich Miller at 12 December 2003
in Security
|
Print this Page
| Rackspace Managed Hosting - Web Hosting - Hosting | Swishmail.com Business Email Hosting | Dedicated Servers - Apollo Hosting |
| INetU Managed Hosting - Dedicated Servers | DataPipe - Personal Touch, Global Reach | Website Hosting - Website Source - Ecommerce, VPS |
| Reseller hosting Managed dedicated server Ahosting | Web Hosting and Reseller Hosting By HostDepartment | Web Hosting UK - VPS Hosting Dedicated Server |
| Web Site Hosting - Network Solutions | Simplicato Email Hosting | |
Advertising on Netcraft
Copyright © Netcraft Ltd 2008. All Rights Reserved.