I've found a phishing exploit that can be used on IE / FF / Safari users.

Author Topic: I've found a phishing exploit that can be used on IE / FF / Safari users.  (Read 4592 times)


(details aren't stored, supply something to get an image)

Proof of concept here: https://animalspecial interestresearch.us/

This one has a more fun auth message if you feel like pranking people. Just hotlink it anywhere you want.
https://animalspecial interestresearch.us/members/horserooster-001.jpg

(This only works on FF/IE/Safari)




the image is broken

it works once i actually put info in

I'm getting the auth prompt on Chrome.

the image is broken
That's part of the exploit as described on the webpage.
« Last Edit: October 03, 2015, 01:45:36 PM by Otis Da HousKat »

« Last Edit: October 03, 2015, 01:45:55 PM by ThatRandomGuy »

I'm getting the auth promp on Chrome.
You're getting it when you visit the site directly.

Opera and Chrome have a policy that is checked when opening the prompt. They ask, "Is the website we're at now the same as this image which required auth?" If the answer is "no", it shows a broken image. If you visit the site directly, you get the prompt.

FireFox, IE, and Safari DO NOT DO THIS. Meaning, when you open THIS PAGE in FireFox, you get a prompt saying your Facebook details need to be resubmitted while browsing Blockland.

the image is broken

it works once i actually put info in
The image is designed to break. It's job is to show the prompt. On Chrome and Opera, this only happens on the site itself. On all other browsers, it shows the prompt anywhere you link the image. This can be used to trick people to submitting information to what they believe is a trustworthy website.



works on mobile too

okay i get it now

this is crazy lol

Wow, that's kinda scary.
Just takes a couple minutes to recreate, too

Good thing it only works on places you can embed images. Something like facebook where you have to reupload the image to FB wouldn't work
« Last Edit: October 03, 2015, 01:56:59 PM by Headcrab Zombie »

it also works on Edge
spooked me at first

spooked me on iOS Safari