[thelist] Interesting new Browser history sniffing trick
Lee kowalkowski
lee.kowalkowski at googlemail.com
Tue Aug 22 16:19:53 CDT 2006
On 22/08/06, Christian Heilmann <codepo8 at gmail.com> wrote:
> Now, Jeremiah Grossman found a way around that:
> http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
Very nice indeed, but not *quite* finding a way to get the URLs out of
the browser window (session) history.
This lists hand-picked URLs that the user has visited since the
relevant cache was cleared / purged, but depending on the attacker's
goal, this is even better, because it has a higher chance of
qualifying a victim.
1/ Detect customer of banking corp. 2/ Display interesting article
containing a link to the said bank about anything that would encourage
the reader to follow it, e.g. Free MP3 player if you're current
balance ends in ".93". 3/ Present fake/proxy login page.
Scary.
--
LK
More information about the thelist
mailing list