Apoll0 wrote: |
The good news is unless it is a targeted attack that knows the sites you access, it relies on chance. The attacker will open a tab in your browser with a fake site login, and hope that you go to that tab, see a familiar login, and enter your credentials. |
Raskin wrote: |
Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.
Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours