Beowulf wrote:If there is more than one tab open in a window, it doesn't work in Firefox. Try it. Click the link to open the citibank website in a new window. Hit Ctrl+T. Then click the image. The citi-bank window shows up properly.
At least, I think that's how it's working...
Yes, you're right. I did the test in and got hijacked. However, when I opened the citibank window in a new tab, I've got the normal citibank popup, not the hijacked popup. I'm using Mozilla 1.7.3
Good thing I have a habit of opening new pages in new tabs, not in new windows.
Pcm979 wrote:How many fucking times do I have to tell you? I did the test. I'm safe.
Yea yea If you don't want to belive me then it is fine for me, but if you look at the pic I posted you will see that I use firefor 1.0 and I am at risk from this attack.
There might be different reasons why this demo dont work for you but if you think that the demo did not prove me to be at risk and therefore you must be safe then all I can say about it is:
Don't come whining to me if you get scammed from this spoof!
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img] "Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
Note that, although the attack site can inject its own content, it cannot change the URL appearing in the Location Bar. Firefox and Mozilla have the ability to deny access to the Location Bar so all pop-up windows always have it. To turn on this feature:
1. Enter about:config in the Location Bar.
2. Enter dom.disable_window_open_feature.location in the filter field.
3. Right-click (Ctrl+click on Mac OS) the preference option and choose Toggle (the value should change to true).
This is the really importaint part:
Note that, although the attack site can inject its own content, it cannot change the URL appearing in the Location Bar. Firefox and Mozilla have the ability to deny access to the Location Bar so all pop-up windows always have it.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img] "Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
I use Opera, and when I clicked on the link, no windows popped up (because I disabled all popups). When I allowed popups and clicked on the link, it took me to the Citibank popup, not the Secunia one. I tried this three times.
Opera rocks, Opera rules.
And you may ask yourself, 'Where does that highway go to?'
Brotherhood of the Monkey - First Monkey|Justice League - Daredevil|Late Knights of Conan O'Brien - Eisenhower Mug Knight (13 Conan Pts.)|SD.Net Chroniclers|HAB
Robert Treder wrote:I use Opera, and when I clicked on the link, no windows popped up (because I disabled all popups). When I allowed popups and clicked on the link, it took me to the Citibank popup, not the Secunia one. I tried this three times.
Opera rocks, Opera rules.
Allow popups, go to the secunia site.
Click the link and then click the icon on Citibank.
From Secunia
Please note. If you wish to run the test multiple times, then please refresh this page before each test.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img] "Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
Dude, seriously. If people do the test and nothing happens (like with me) IT MEANS THEY ARE NOT AT RISK!!! Why have the test if it doesn't matter whether or not they pass the test? You say firefox 1.0 is at risk. Fine, I can believe that. But risk does not equal definate attack. Maybe that risk is only for users who fit in a certain demograph (some other factor not included in the test) which means that while me and you may use the same browser, I may have no problem and you have a problem. So lay off the man for saying the tests showed he had no problem.
I set Firefox to open links that would normally open in a new window, in a new tab, instead (so when I left-click the link from the OP, the Secunia page automatically opens in a new tab, not a window). That way, the Secunia insertion opens in a regular tab, complete with URL bar.
"So you want to live on a planet?"
"No. I think I'd find it a bit small and wierd."
"Aren't they dangerous? Don't they get hit by stuff?"
Folks, run the test atleast three times. I thought I was safe too, until I ran it a third time and THEN I found that I was vulnerable. Just because it doens't work the first time doesn't mean you're not vulnerable.
"I once asked Rebecca to sing Happy Birthday to me during sex. That was funny, especially since I timed my thrusts to sync up with the words. And yes, it was my birthday." - Darth Wong
Leader of the SD.Net Gargoyle Clan | Spacebattles Firstone | Twitter
I have no such issue with Mozilla Firefox on MacOS X using either link. I'll try doing it with only a single tab open, but with the Secunia window opened in a new tab, both of the Citibank links work properly and the Secunia advisory page appears in *that* tab, not in the Citibank popup window.
I can't figure out just how vulnerable I am. I've tested it with Opera (7.52), Firefox (1.0), Avant frontend for IE (10.0 build 030) and IE itself (6.0.2800.1106) with Google toolbar for anti-pop ups (2.0.114.6). Obviously, with all pup up blockers running, I do not get the Secunia "you've been jacked" page. But in Avant and Firefox I do get messages that the Secunia "you've been jacked" page is blocked. So I at least know that they're trying to hijack. From a reality standpoint, isn't that safe enough until there are patches to the various browsers?
Click the link and then click the icon on Citibank.
From Secunia
Please note. If you wish to run the test multiple times, then please refresh this page before each test.
I did that. The exploit still doesn't work.
And you may ask yourself, 'Where does that highway go to?'
Brotherhood of the Monkey - First Monkey|Justice League - Daredevil|Late Knights of Conan O'Brien - Eisenhower Mug Knight (13 Conan Pts.)|SD.Net Chroniclers|HAB
Hmm... I get an odd restult from it. When doing the version with popup blockers on I get the proper popup every time. However, if I do the one without popup blockers something odd happnes. I get the right popup, but the Secunia site with the original link becomes the hijacked popup.
I wonder how that works...
I'm using Firefox 1.0 and I'm not using any tabs for this.
Edit: Tried IE, too. No bad popup. Hmm... This bug must be affected by more than just the browsers. Firewall maybe? And I'm NOT turning that off to test it.
