1996-01-30 - Re: FL Demonstrates Fatal Flaw in Logins

Header Data

From: br@scndprsn.Eng.Sun.COM (Benjamin Renaud)
To: joseph@genome.wi.mit.edu
Message Hash: dd92e043af7c16702f51105f2604105bf1b4062aa7701982a90d14ca1f762ffd
Message ID: <199601300603.WAA11063@springbank.Eng.Sun.COM>
Reply To: N/A
UTC Datetime: 1996-01-30 07:26:45 UTC
Raw Date: Tue, 30 Jan 1996 15:26:45 +0800

Raw message

From: br@scndprsn.Eng.Sun.COM (Benjamin Renaud)
Date: Tue, 30 Jan 1996 15:26:45 +0800
To: joseph@genome.wi.mit.edu
Subject: Re: FL Demonstrates Fatal Flaw in Logins
Message-ID: <199601300603.WAA11063@springbank.Eng.Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain



A couple of posts have raised the issue of doing the FV keyboard-capture
attack using Java.

|However, I don't know much about Java, would it be possible to make such an
|applet with Java?

The only events a Java applet is privy to are those that are typed in
an applet window (and only those it itself spawned). So if a user types
their credit card number in an applet window, the applet could send the
information back to its server (and to that server only). 

In theory, it is possible to make an applet which appears to be selling
something, get people to visit the page it's on, convince these people
to enter their credit card numbers, and send those back to the server
of origin. Of course, once this happens, you always know what host the
applet came from (unless the thief, in order to get a few credit card
numbers, has hacked DNS so that it's harder to track it).

That's the extent of the risk.

-- Benjamin Renaud
   Java Products Group





Thread