[WEB SECURITY] Secure Browsing: Comitari-Free Released

Nick Nikiforakis nikiforakis.nick at gmail.com
Mon Feb 28 13:54:11 EST 2011


Dear Shlomi,

Thanks for your reply. I decided to try Comitari Free and I can't say that I
was
impressed. I installed the plugin and I visited comitaritest.t35.com which
is
a fake PayPal page that I created specifically for testing your product.
Unfortunately
your product didn't detect it as a phishing page even though I didn't make
any
attempts to obfuscate PayPal's HTML or images. The only modification I
actually
did to PayPal's HTML code was to change the form's target to a local
(non-existing)
PHP page that would serve to gather the credentials for later use.

You can try it yourself. Screenshots of my results are available here:

http://securitee.org/files/images/comitari1.PNG
http://securitee.org/files/images/comitari2.PNG

I actually also tried it a known PayPal phishing page (from phishtank.com)
and it
also didn't detect that.

Regards
Nick Nikiforakis

On Mon, Feb 28, 2011 at 6:24 PM, gaz Heyes <gazheyes at gmail.com> wrote:

> On 28 February 2011 10:56, Shlomi Narkolayev <shlominar at gmail.com> wrote:
>
> If (IE User){
>>
>>         I invite you install Comitari-Free; provides client side
>> protection against ClickJacking, LikeJacking and other UI Redressing
>> attacks.
>> }
>> else{
>>
>>        printf ("Stay tuned, FF and Chrome versions will be released in a
>> few weeks");
>>        return;
>> }
>>
>
> missing ) after argument list (line 1)
>
>
> We are using a patent pending algorithm. Our technology isn't based on
>> black lists. Unfortunately currently I can't elaborate about the phishing &
>> pharming algorithm.
>>
>
> I stopped reading here.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110228/2005e827/attachment-0003.html>


More information about the websecurity mailing list