> It seems like a phishing attack would occur if a user clicks on a link and > doesn't notice the absence of a new standard tab opening. E.g., I have a > link to "Bank of America" but it's really still in the same site; the user > can't see in the indicator bar that it's not bankofamerica.com, because > there is no indicator bar.
I was thinking more along the lines of a site changing its favicon and appearance while the user is some where else (like tab napping[1]) and the user comes back to get phished. This wouldn't require the user to notice the absence of a new tab, but ofcourse the phished app has to be a app that he commonly keeps open - for me in particular I imagine gmail would work. Seems that the general assumption that Mozilla is making is that all the tabs that the user makes apps are trusted and won't be so rude as to do such not nice things. cheers devdatta [1] http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ - Open the page, browse somewhere else for a few moments - note how the favicon changes and how the appearance changes. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
