ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: IE7 - Phishing vs. Privacy



http://portal.spidynamics.com/blogs/spilabs/

-----------------
IE7 - Phishing vs. Privacy
19 December 06 03:01 PM | LabsMan | 0 Comments   

    Today I was testing WebInspect on my newly installed version of
Vista with IE7 and found something startling.  When running a browser
through a proxy you can see soap requests being made to Microsoft as you
hit each page.  Here is what the requests look like.

    POST
/urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-L
ock=XdXWSI8WgDg%3d HTTP/1.1

    Accept: text/*

    SOAPAction: "http://Microsoft.STS.STSWeb/Lookup";

    Content-Type: text/xml; charset=utf-8

    User-Agent: VCSoapClient

    Host: urs.microsoft.com

    Content-Length: 648

    Cache-Control: no-cache

     

    <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";><soap:Body><Lo
okup xmlns="http://Microsoft.STS.STSWeb/";><r
soapenc:arrayType="xsd:string[1]"><string>http://zero.webappsecurity.com
/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><
v
soapenc:arrayType="xsd:string[5]"><string>7.0.6004.6</string><string>7.0
0.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0
</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>

     

    You can see in the soap envelope the full URL of the site I am
browsing.  Upon further investigation, this is how IE7 implements their
real time Phishing notification.  In the settings of IE you will find
the option to disable or enable this under "Phishing Filter".  This
raises a some serious questions, here are just a few that I can think
of:

    1)      I don't recall being notified that this was occurring.  Now
I am the first to admit I don't read every installation page, disclaimer
or EULA but I would think this would be a BIG screen explaining the
setting and the consequences of the option.

    2)      Everyone knows you can trust MS with personal data, but this
is a bit much.  The ability to track every single web page that is
visited is needless to say powerful information.

    3)      Why in the world does Microsoft feel it necessary to check
INTERNAL ADDRESSES for phishing web sites?  Yes, this actually happens.
I browsed to a 172. address and a request with the full internal IP was
sent to Microsoft.

    4)      Post data and query data is not submitted, but what are the
implications of websites that keep session state in the URL or user
sensitive information (seen in URL rewriting).  This data being
transferred to a site other than the one I am visiting, even though via
SSL, still does not give one a warm fuzzy feeling.

    5)      What are the other parameters in the request used for?
Client-Key?  It this key really tied to me?  If so, is it really
necessary for MS to know this to inform me of a phishing site?

    Feel free to comment on other implications that you can think of.  



 




Copyright © Lexa Software, 1996-2009.