+1. Looking at the <a href> is not enough, and fixing OR has likely negligible impact on phishing. https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-facilitating-phishing-or-social-engineering …
-
-
Replying to @kkotowicz @mikko
well, TBF, IMO, this is slightly worse than classic OR, and the "looking at <a href>" part doesn't apply here
1 reply 0 retweets 0 likes -
it is pretty nasty that, following a legitimate login page, a fake "wrong password" error page can be shown
1 reply 0 retweets 0 likes -
the initial click is from external site, so tabnabbing could do the same (modulo timing maybe)
1 reply 0 retweets 0 likes -
-
I know, hence +1. I don't get why it's nastier though
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @mikko
you said "Looking at the <a href> is not enough" - and with classic OR, yeah, the user has to look at the address bar once
2 replies 0 retweets 0 likes -
but here (and also with tabnabbing), the user has to monitor the address bar more or less continuously
2 replies 0 retweets 1 like -
(but also: why is tabnabbing still a thing? can't chrome and firefox kill cross-origin, cross-tab location writes?)
2 replies 0 retweets 0 likes -
b/c a) ie b) that might break stuff, telemetry needed. You don't just remove stuff from the platform.
1 reply 0 retweets 1 like
a) making stuff secure for non-IE users is still a win. b) yeah, telemetry might be needed, doesn't make it infeasible
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.