Comments on: OpenID Guerrillas: Day Five

By: Tamlyn

Tamlyn — Mon, 10 Mar 2008 17:57:38 +0000

Seems fairly simple. In effect the attacker is indistinguishable from a genuine user so there's no way of preventing it from loading all the relevant content (text, images, stylesheets, scripts) from the identity provider. From that point it's just a case of spitting it out again to the victim of the attack. It's a tricky one.

By: Kelly

Kelly — Fri, 07 Mar 2008 18:19:09 +0000

Does that add enough faff to the phish attempt to discourage it? Or is it dead simple (tm)?

By: Tamlyn

Tamlyn — Fri, 07 Mar 2008 16:30:07 +0000

Referrer checking on images is easily overcome by changing the image source to point to a proxy on the phishing server which loads the correct images from the identity provider by sending a fake referer header.