From: Pascal Meunier (pmeuniercerias.purdue.edu)
Date: Thu Oct 21 2004 - 15:42:42 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Things from one context that unexpectedly appear in another are at least
bad UI practice... As to whether it should be called a "vulnerability",
that depends on whether you could be fooled by it. If you expect or desire
("policy" used in the broadest sense) to have self-consistent UI contexts,
this is a vulnerability by that definition. Calling victims of a scam
"dumb" is victimizing them over again. UI abuse ("phishing") victims have
my sympathy, and I am in favor of improving user interfaces. People
shouldn't have to browse the web prepared to defend themselves at every
click like people used to travel in the far-west.

    Note the solution too: disable JavaScript. I hate client-side
scripting (because it has repeatedly been demonstrated to be an exploit
vector), and web-sites that make it mandatory to see any content whatsoever
(like http://3com.com).

Cheers,
Pascal Meunier, M.Sc., Ph.D., CISSP

On 10/21/04 5:50 AM, "Tig" <tiggeronemoremonkey.com> wrote:

> On Wed, 20 Oct 2004 15:02:01 +0200
> Jakob Balle <jbsecunia.com> wrote:
>
>> ======================================================================
>>
>>
>> Secunia Research 20/10/2004
>>
>> - Multiple Browsers Tabbed Browsing Vulnerabilities -
>>
> [.. snip..]
>
> Oh please. Is this a troll or some kind of bad joke? How is it any
> different from having two windows open? When will 'lack of user
> understanding' stop being called 'an exploit' and start being treated as
> what it really is - dumb users.
>
> How about educating users instead of making the internet seem like a
> really scary place.
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]