Subscribe to:

The Kiwi's TaleWitchBlasterDerelict Blow Stuff Up

Teach a man to Phish

This is a completely safe link to the login page for Dropbox. (Use a regular click, not middle or 'Open in new tab')

 

The above Phishing demo relies on two simple Javascript methods:

  1. "event.preventDefault()" on this page, the link above is actually a real link EXCEPT for some attached Javascript that stops the URL redirection and then directs the browser to my fake page at http://dl.dropbox.com/u/156162926/login.html (I was inspired to do this by the fullscreen exploit demo at feross.org)
  2. "window.history.pushState()" on my fake page, which simply changes the address in the URL bar without reloading. It's a relatively new HTML5 feature, and will probably only work on up to date versions of Firefox, Chrome et al.

Granted, you can't use it to change the domain part of the address, but it's not an issue if you've found a way to run Javascript on the target's domain to begin with. While as far as I know you can't run Javascript directly on dropbox.com, the subdomain barely looks any different, and I suspect there'd be other services just as vunerable if not more vulnerable.

Am I being overly dramatic about this or should this be a real concern?

Tags:

Comments

Jeffery Herring (not verified)

What is this? Are you guys teaching phising? I think I need an anti-phishing software for this reason.

  • An on-line betting site ought to give you the top bonus australian gambling online gambling around, not forgetting the top payouts and bonuses and this particular gambling site provides it all.
Earok
Earok's picture
Offline
Joined: 02/06/2009

Not really. The title was just a pun, and I was just demonstrating a particular weakness with Dropbox (which, to their credit has since been fixed) and HTML5/Javascript which could be used to create a convincing phishing site, and how incredibly simple it is.