[WEB SECURITY] Secure Browsing: Comitari-Free Released

Nick Nikiforakis nikiforakis.nick at gmail.com
Mon Feb 28 13:54:11 EST 2011

Dear Shlomi,

Thanks for your reply. I decided to try Comitari Free and I can't say that I
impressed. I installed the plugin and I visited comitaritest.t35.com which
a fake PayPal page that I created specifically for testing your product.
your product didn't detect it as a phishing page even though I didn't make
attempts to obfuscate PayPal's HTML or images. The only modification I
did to PayPal's HTML code was to change the form's target to a local
PHP page that would serve to gather the credentials for later use.

You can try it yourself. Screenshots of my results are available here:


I actually also tried it a known PayPal phishing page (from phishtank.com)
and it
also didn't detect that.

Nick Nikiforakis

On Mon, Feb 28, 2011 at 6:24 PM, gaz Heyes <gazheyes at gmail.com> wrote:

> On 28 February 2011 10:56, Shlomi Narkolayev <shlominar at gmail.com> wrote:
> If (IE User){
>>         I invite you install Comitari-Free; provides client side
>> protection against ClickJacking, LikeJacking and other UI Redressing
>> attacks.
>> }
>> else{
>>        printf ("Stay tuned, FF and Chrome versions will be released in a
>> few weeks");
>>        return;
>> }
> missing ) after argument list (line 1)
> We are using a patent pending algorithm. Our technology isn't based on
>> black lists. Unfortunately currently I can't elaborate about the phishing &
>> pharming algorithm.
> I stopped reading here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110228/2005e827/attachment-0003.html>

More information about the websecurity mailing list