[F] TidBITS / TidBITS / TidBITS Talk /

Keychain susceptible to phishing attacks?

[Player-16]Player-16 - 08:02pm Mar 9, 2006 PST

I've accidently discovered a keychain flaw. As you know when you register into a site that requires your user name and password, keychain would ask 3 questions: 'never for this site','only once', 'allow' (or words to that effect). Going thru my web page email, I came across a PayPal spoof - as one does. It took me to a page and I loaded a spam address into it. [I chose 'never...'] It did not like that. So I clicked around and it was rather laid out. In my url the usual 'P' wasn't showing so that was a red flag anyway. Further along the url the regular http://www.paypal was up. Before too long I came back to the log-in page. Still curious, I clicked on a tab and licitly-split my log-in and password was filled and off to the phony spoof bowels it went. I was shocked! YOU IDIOT! YOU WERN'T SUPPOSE TO FILL THAT OUT!' I gestured to the computer.

The thing was that the 'Keychain' program detected the http:// part of the url and thought it was legit. I pulled my $16.98 right out and informed PayPal. I haven't made it to the Apple site yet but I figured I'll tell everyone else first -like the FTC and such. After my rant, I chopped the paypal off the url and the page blinked and took me to ATT Business. Charming.



[I think the old saying about curiousity might come into play here... :-) -Adam]


Mark as Read
  OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages

kirklists (apparently) - Mar 10, 2006 3:24 pm (#1 Total: 2)  

Reply to this message
via email  

Photo of Author
Posts: 73
Re: Keychain susceptible to phishing attacks?

On Mar 10, 2006, at 4:02 AM, Player-16 wrote:
> I've accidently discovered a keychain flaw. As you know when you
> register into a site that requires your user name and password,
> keychain would ask 3 questions: 'never for this site','only once',
> 'allow' (or words to that effect). Going thru my web page email, I
> came across a PayPal spoof - as one does. It took me to a page and
> I loaded a spam address into it. [I chose 'never...'] It did not
> like that. So I clicked around and it was rather laid out. In my
> url the usual 'P' wasn't showing so that was a red flag anyway.
> Further along the url the regular http://www.paypal was up. Before
> too long I came back to the log-in page. Still curious, I clicked
> on a tab and licitly-split my log-in and password was filled and
> off to the phony spoof bowels it went. I was shocked! YOU IDIOT!
> YOU WERN'T SUPPOSE TO FILL THAT OUT!' I gestured to the computer.
>
> The thing was that the 'Keychain' program detected the http:// part
> of the url and thought it was legit. I pulled my $16.98 right out
> and informed PayPal. I haven't made it to the Apple site yet but I
> figured I'll tell everyone else first -like the FTC and such. After
> my rant, I chopped the paypal off the url and the page blinked and
> took me to ATT Business. Charming.

That's not Keychain's fault, it's Safari's auto-fill. If you're
planning to try out phishing sites, turn off auto-fill.


Kirk

                       Author of: iPod & iTunes Garage
                      http://www.mcelhearn.com/ipod.html
                - - - - - -
              Read my blog: Kirkville -- http://www.mcelhearn.com
           Musings, Opinion and Miscellanea, on Macs, iPods and more



Jochen Wolters (apparently) - Mar 10, 2006 3:24 pm (#2 Total: 2)  

Reply to this message
via email  

Photo of Author
Posts: 137
Re: Keychain susceptible to phishing attacks?

> Going thru my web page email, I came across a PayPal spoof - as one
> does. It took me to a page and I loaded a spam address into it. [I
> chose 'never...'] It did not like that.

Safari only shows that dialog if you enter data into a web page's
form fields and submit this data. If you don't actually submit any
data, it won't ask. Just wondering: did you submit anything before
Safari asked about remembering the form data?


> Still curious, I clicked on a tab and licitly-split my log-in and
> password was filled and off to the phony spoof bowels it went.

Are you saying that all form fields on the page you were viewing were
empty before you clicked the tab, and only when you
clicked that tab, did Safari fill in the fields and submit the page?


On a more general note, to be safe from phishings attacks like the
one you describe, just make it a habit _never_ to click any URL in
such an email -- not even out of curiosity *ho-hum* ;). Instead,
_always_ go to their webpage manually or via a bookmark that you know
to be safe, and check for any messages related to the email directly
on the site.


Jochen.


--
A Polytrope's Musings <http://www.polytropia.com/musings>
Polytropic Flickr Pix <http://www.flickr.com/photos/polytropia>




  OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages


 Content:

Read New | Search

 Guest:

New User Registration | Email to Sysop | Login

 Add:

Post Message

[F] TidBITS / TidBITS / TidBITS Talk / Keychain susceptible to phishing attacks?




Add a message

To add a message to this discussion, you must be a registered user. Enter your email address below. If you have an account associated with the email address you enter, you will be prompted for your password. If not, you'll be able to create a new account with no fuss.

Enter your email address:

Submit