Comments on: Phishing with URL Obfuscation continues in Safari 4

By: Hijacking Safari 4 Top Sites with Phish Bombs | SecureThoughts.com

Hijacking Safari 4 Top Sites with Phish Bombs | SecureThoughts.com — Tue, 11 Aug 2009 23:48:52 +0000

[...] by the Safari’s inadequate protection against URL obfuscation attacks as highlighted in [3], which makes it almost impossible for a regular user to spot the fake site and differentiate it [...]

By: Inferno

Inferno — Tue, 28 Jul 2009 01:44:47 +0000

Hi Kurt,

I had a chat with Google Security Team before i decided to write this post. They felt that their mitigation mechanisms were sufficient enough. I still kinda disagree and feel that a more uniform solution is required across all browsers, rather than each browser having one or other type of flaw.

Regards,
Inferno

By: Kurt

Kurt — Tue, 28 Jul 2009 01:26:29 +0000

Inferno,
while your description of the chrome browsers response to this exploit is accurate, I believe, from my experience, users do not glance up at the address bar often enough to prevent falling for this. I believe Firefox’s response with an error box and default selection of “no” is far more effective than Google’s chrome. I also agree that Microsoft’s response is insufficient. But even that is better than taking you directly to the link where you’re asked for login credentials as what happens with chrome.
Respectfully,
Kurt

By: G@rFieLd

G@rFieLd — Tue, 21 Jul 2009 09:59:38 +0000

By the way, the KDE browser konqueror loads the URL unfortunatly too.

By: Inferno

Inferno — Fri, 19 Jun 2009 08:36:17 +0000

Thanks David ! Fixed it. For Apple, hope they fix that one fast so that i can discuss it here.

By: David

David — Fri, 19 Jun 2009 07:53:39 +0000

Inferno, I was talking about the Internet Explorer link to Microsoft on second line first paragraph.

I’m curious about the one you are solving with Apple.

By: Inferno

Inferno — Thu, 18 Jun 2009 00:32:32 +0000

Hi David,

Thanks a lot for pointing this out. Google Analyticator messed it up, so I am now using a textarea instead.

I reported two exploits to Apple Security Team, one of them was this one. On this issue, Apple didn’t respond to me despite my repeated emails. It is pretty aweful to leave such exploits open when everyone else fixed it years ago . On the other exploit, Apple is actively replying to my emails and I will discuss that once it is fixed. That is much more serious that this one…..

By: Safari 4 still open to Phishing with URL Obfuscation | David Sopas

Safari 4 still open to Phishing with URL Obfuscation | David Sopas — Wed, 17 Jun 2009 18:48:29 +0000

[...] reading on SecureThoughts about the new Safari 4 on how it’s still open to phishing with URL [...]

By: David

David — Wed, 17 Jun 2009 18:44:29 +0000

By the way, your link to Internet Explorer is messed up

By: David

David — Wed, 17 Jun 2009 18:39:36 +0000

Apple each day is proving to me that they need to open their eyes to security.
They are “ignoring” or taking to much time to secure big open bugs.

The bigger they some, the less they care about security, right?