[WEB SECURITY] SiteKey
Thierry Zoller
Thierry at Zoller.lu
Sat Nov 4 17:32:12 EST 2006
tycj> in http://www.bankofamerica.com/privacy/sitekey/ ...
Ouch, even using Flash objects I don't see how this helps preventing
phishing.
>we'll show your secret SiteKey image and image title...
>You know it's safe to enter your Passcode.
Wtf, the phisher just relays the data (like a proxy) between the
server and the client and he may show the image and title too, which
doesn't imply the user is safe to enter the passcode.
Ouch, now I feel in desperate need for an account there, a PoC
should be pretty easy, would be of interest to me.
Anybody wants to give me he's credentials to an account of his ;) ?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list