Hi guys,
I wrote a blog post about how an email can compromise your internal network
when using iDevices in
combination with a certain type of routers.
http://www.acunetix.com/blog/web-security-zone/the-email-that-hacks-you/
--
Bogdan Calin - bogdan [at] acunetix.com
CTO
Acunetix Ltd. -
Yes, I agree with you.
However, my opinion it that it should be fixed once and for all in iOS/Webkit
(and the other
browsers) by disabling resources loaded with credentials.
At some point, as a protection for phishing, URLs with the format
scheme://username:password@hostname/ were disabled.
From an architectural perspective, auto logins or whatever they're called
should work through a random string, just as most providers already do.
There is absolutely no reason to pass the username/password from a
URL, especially when in plain text as in these cases.
Since there is no loss of
Hello,
I can also confirm that this attack works on iPhone, iPad and Mac's
default mail client.
Of course, it works anywhere where arbitrary client-side code can be
executed... IMAHO, the issue here is not your iphone loading images,
there are millions of attack vectors to trigger this attack...
I totally agree with Christian, it is as insane as passing username and
passwords using GET requests. But congrats Bogdan for the bringing to us a
nice hack.
Have u shared the code as well Bogdan?
On Wed, Nov 28, 2012 at 5:07 PM, Christian Sciberras uuf6...@gmail.comwrote:
From an
Please if you could share the code, I would like to test it for my router
as well.
Thanks
On Wed, Nov 28, 2012 at 6:02 PM, Bogdan Calin bog...@acunetix.com wrote:
Thanks aditya,
The code is not published on the blog post but it's visible in the video.
It's very simple to reproduce this
Thanks aditya,
The code is not published on the blog post but it's visible in the video.
It's very simple to reproduce this problem.
On 11/28/2012 1:53 PM, aditya wrote:
I totally agree with Christian, it is as insane as passing username and
passwords using GET
requests. But congrats Bogdan