[30742] in bugtraq
Internet Explorer Full-Screen mode threats
daemon@ATHENA.MIT.EDU (Marek Bialoglowy)
Tue Jul 15 14:40:44 2003
Message-ID: <003701c34adf$6d400360$6f00a8c0@ultor>
From: "Marek Bialoglowy" <mb@systemintegra.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 15 Jul 2003 21:43:13 +0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hello,
I was reading the "IE chromeless window vulnerabilities" thread and thought
maybe I could add some proof of concept to this discussion.
This very simple demo:
http://www.systemintegra.com/ie-fullscreen/
shows how system password could be captured thanks to Internet Explorer
working in full-screen mode.
Certainly it could be more advanced and designed to detect the platform to
show correct login window. It will work fine on the local network, however
it has to be optimised for the Internet use - everything has to appear
immediately and no download process can be visible.
Best Regards,
Marek Bialoglowy (ultor@systemintegra.com) - IT Security Researcher
PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E
JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7
