[Wolves] Spam ... my fail

Mark Rogers mark at quarella.co.uk
Wed Jul 7 06:51:34 UTC 2010

  On 07/07/10 00:23, Mike Hingley wrote:
> when I used what I assumed to be safe Kiosk windows PC at work to check my email

Obviously it's easy to point the finger at the "safe" Windows PC (which 
browser, out of curiosity?)

In my experience these problems are usually XSS (cross-site scripting) 
attacks, which as I understand them basically work like this: you log into 
webmail, receive an email with a link to somewhere, which you click on to open 
that website, which contains malicious code (usually because it has been 
hacked). So you have an active login to your mail, and you're visiting a site 
which downloads code to your browser (eg Javascript) which runs and makes 
calls to the webmail application on the server (eg Hotmail) to force it to 
send links to said webpage to all your friends. This relies on vulnerabilities 
in either the browser or the website (both?) and is particularly hard to beat 
because by definition it happens when you have an active connection open to 
your email thus potentially bypassing the login. The same could happen if you 
have an open login to your bank, for example, but this is much easier to 
defeat in principle (you're unlikely to be following links to malicious code 
from the bank, so the browser just needs to keep the sessions separate) but 
does illustrate why logging out of any accounts (bank, email, etc) when you've 
finished with them is important, rather than just closing the tab. Of-course 
it is hard to log out of your email before clicking on a link within it, which 
is what makes this particular problem so hard to defeat. My guess is that if 
you were to copy the link and paste it into a new tab then it might get a new 
session which might make XSS attacks harder, but I'm not an expert in these 
things. The browser *should* create an independent session when you open a 
link to a different site, but presumably not all browsers do, or if they do 
they don't keep different sessions completely separate. My guess would be that 
browsers like Chrome that run each tab as a separate process probably do 
better in this regard.

Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450
Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG

More information about the Wolves mailing list