FitchVA
NAXJA Forum User
- Location
- Roanoke, VA
This has been passed around on the net for a few days now and i've had to sit in on some long meetings on this topic. but i figured that yall might want to know about it if you haven't already heard about it.
there's a flaw in IE (confirmed on v6) that allows people to post fake links. when you mouse over these links, the status bar shows a reputable url. when you click on it, the address bar shows a reputable url. but you could be on a totally different web page. here's an example:
Click on this link to go to CNN.
notice that when you hold the mouse over the link, the status bar says "www.cnn.com" and when you click on the link the address bar says the same. but you're now looking at my personal web page. tricky ain't it?
just look out for strange emails asking you to log into some accuont to fill in your account info. kinda like that paypal scam that went around. they could make a fake page to look like a valid paypal account and you wouldn't know the difference. so be careful.
and nope, no download, no patch. at least microsoft hasn't put one out yet. HERE'S THE FULL STORY <-- that's a real url this time
we have weekly meetings with these folks. here's a summary of what they have to say from the link above...
oh, btw, if the above test doesn't work on you like i described, you're safe...for now. if the above test does prove to be vulerable, post your IE versions here.
there's a flaw in IE (confirmed on v6) that allows people to post fake links. when you mouse over these links, the status bar shows a reputable url. when you click on it, the address bar shows a reputable url. but you could be on a totally different web page. here's an example:
Click on this link to go to CNN.
notice that when you hold the mouse over the link, the status bar says "www.cnn.com" and when you click on the link the address bar says the same. but you're now looking at my personal web page. tricky ain't it?
just look out for strange emails asking you to log into some accuont to fill in your account info. kinda like that paypal scam that went around. they could make a fake page to look like a valid paypal account and you wouldn't know the difference. so be careful.
and nope, no download, no patch. at least microsoft hasn't put one out yet. HERE'S THE FULL STORY <-- that's a real url this time
we have weekly meetings with these folks. here's a summary of what they have to say from the link above...
it's a pretty clever workaround. one of those things that you know about both parts, but you never put 1 and 1 together. it uses the common url redirect along with special characters that aren't picked up in the validation scripts.
oh, btw, if the above test doesn't work on you like i described, you're safe...for now. if the above test does prove to be vulerable, post your IE versions here.
