Non-recoverable auth failure?

Jean-Luc Delatre jld at
Fri Jun 24 10:35:39 PDT 2005

Evan Martin wrote:

>On 6/24/05, Brad Fitzpatrick <brad at> wrote:
>>Yes, phishing will still happen, but let's not encourage it.
>One plausible attack is this:  if I discover some place where HTML
>isn't escaped in an LJ page, I can construct a URL to that page that
>contains the HTML to cover the page with an iframe on my evil site. 
>>From the user's perspective, they're on an LJ page with a crazy URL so
>it looks ok.
>Ways to help avoid this:
>1) Include on the openid auth page the text: "Verify that the URL bar
>says, if it's not you may be getting
>phished" or whatever it is.
Oh, yeah?
You didn't read this likely (it was on my previous post)

And *do* click on their link as they appear below

Test Your System
Test Now - Left Click On This Link <--- it says "http://www.paypа"

It has been fixed on some browsers but not all users will be up ot date...

>2) Show the user some personal information that makes them more likely
>to trust the site, like userpics, etc.  Unfortunately the phishers can
>just download the userpics.  If the user has hidden any of their
>userinfo you can say something like "to prove this is really LJ, I'll
>mention that you were born in 1986, despite that being non-public
No chance either, it is getting complicated and users *don't* pay attention.
Therefore it should be assumed that it will happen, in which case it 
should only damage *this* fooled user
not the consumer or even worse the server (by giving a way to disclose 
some "secret")


More information about the yadis mailing list