Re: Fwd: New possible scam method : forged websites using XUL (Firefox)
In-Reply-To: <20040730210508.GT19188@xxxxxxxxxxxxxxxxx>
"The security implications of
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
Mozilla Foundation has kept the Bug confidential until recently,
when a researcher noted the problem and published a
particularly-effective demonstration, spoofing a "PayPal" login
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."
5 Years to fix a vuln? I am not sure if even Microsoft has been that slow to
confront a security flaw. Has anyone heard an explanation as to why this was
kept confidential and swept under the rug until now?
BTW: Thank you Mr. Smith for an excellent page.
Jo