[LINK] Is Intern Explorer really this accommodating for phishing?
Stilgherrian
stil at stilgherrian.com
Fri Feb 9 15:29:10 AEDT 2007
On 9/2/07 3:15 PM, "Rick Welykochy" <rick at praxis.com.au> wrote:
> Holy crapola, Batman. Does IE really allow Javascript (or some other
> mechanism) to change the address control and fool the user even more than I
> thought?
Yes, in Internet Explorer up to version 6, from memory, JavaScript can be
used to turn on and off "furniture" such as the address bar, the forward and
back buttons -- and the status bar.
And of course JavaScript could be used to create any sort or clickable thing
that looked sufficiently like an actual status bar that the casual user
wouldn't see the difference. And, since Microsoft and other software vendors
like to make gratuitous changes to the user interface to show how "new and
cool" their product is, the casual user isn't particularly concerned if the
appearance of controls changes suddenly.
I had heard that in IE7 you can't change furniture in JavaScript this way,
at least by default, but not sure.
In any event, just have a big thing on your site which says "To use this
site, g to Internet Preferences" and change your security level to
medium-low" and you're done. :)
HTH,
Stil
--
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
ABN 25 231 641 421
More information about the Link
mailing list