[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: seamless bait-and-switch
- To: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
- Subject: Re: seamless bait-and-switch
- From: Jann Horn <jannhorn@xxxxxxxxxxxxxx>
- Date: Fri, 9 Dec 2011 19:18:00 +0100
2011/12/8 Michal Zalewski <lcamtuf@xxxxxxxxxxx>:
> What part? The change of a URL that is not associated with the
> repainting of window contents? I believe that they are very unlikely
> to catch this after initially examining the URL, in absence of other
> indicators (change in URL length, page repainting, throbber activity).
And even if so - someone who's typing in his password will not
notice/react to a page reload for at least a few keystrokes. A
javascript could send those to the server immediately, and if it's a
semanic password, you might be able to guess the rest.