Shmoo Group exploit: 0wn any domain, no defense exists

Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon."
Source: BoingBoing

Oh lord, this is just another fold in the phishing debacle. I found this interesting from the advisory:

VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.

You can read the full advisory for how to turn IDN off in Mozilla based browsers, as well as how exactly they have spoofed PayPal.com. And by all means, try out the proof of concept.

Thanks to Rob Griffiths for the link.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Warning: include(/home/meancode/public_html/breakingwindows/footer.php): failed to open stream: Permission denied in /home/breaking/public_html/2005/02/shmoo_group_exploit_0wn_any_do.php on line 179

Warning: include(): Failed opening '/home/meancode/public_html/breakingwindows/footer.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/breaking/public_html/2005/02/shmoo_group_exploit_0wn_any_do.php on line 179

Blogcritics Magazine

Social Networking

Mac Headlines

Read up-to-date headlines on everything Mac.

Content provided by prMac.

ESRB Search

Creative Commons License
This weblog is licensed under a Creative Commons License.
Enhanced with Snapshots