On Wed, Nov 10, 2004 at 08:27:41PM +0800, Robert Vangel wrote: > That may be so, but isn't it the fact that IE gives the credentials of > the currently logged on user straight away, not defaulting to asking for > a username and pass first.
Right. I asked the question wrongly at first. It's IE, not IIS or Apache, who seems to be vulnerable to a phishing attack. It surely seems like a huge attack surface. IE hands out your username and password, all anybody has to do is ask! Of course you have to hit OK, but if you didn't know what you were doing, you might hit okay. Also it seems like IE might silently attempt to hand it out before it prompts you with that dialog. But, even if that's not the case, a dumb user might be phished into hitting okay. Will test this when I get some more time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
