Always reading the best of online chatter, I stumbled across a post from December regarding phishing and cross-domain javascript and it’s evils. Eric Pascarello suggests another risk of running Javascript from another domain: Using Javascript to fake a login page.
Spoofing of a web page to get your information is so common. I see in my inbox that your �(insert bank, shopping site, etc) account is going to be removed if you do not verify your information. You look at the link and it says something like ebay.VerificationService.com/securityApproval. Anyone stupid enough will click on the link sees the look and feel of ebay and fills out the form.
Bye (sic.) to your account information. Now this same basic principal can be applied to any site.
A malicious external script might produce a fake GMail login screen. In the story here, it adds GMail to a new frame:
How did they get his password? Well it ends up that the cheese page had some code sitting there that noticed if a user was not active for an extended period of time so it opened up a framed page with gmail in one of the frames. Since cross browser scripting was enabled. The cheese page changed the properties of the form to post to the cheese server logging the username and password. After the data was recorded, the user was redirected to gmail and the rest is history in this fake story.
Of course, most users would ask, “Why is there a GMail login page in my browser?�. In Eric’s story, the user is distracted by a phone call. Other times, it could possibly happen if the user returned to the background tab. It might not trick many users, but even if it catches one person out, that’s a serious problem. The scenario here is further evidence that people need to take care with cross-domain scripting.
[ Source: Ajaxian » 2005 » December ]
