Angry Phishing Pictures

Right people say: “Everything new is well forgotten old”

The ability to embed remote resources (for example, images from other sites) on the page of your site is a very bad practice. Which can at some point lead to rather serious consequences for the site. Even 10 years ago, I was surprised to read that this is possible. And now 10 years have passed, nothing has changed, and it seems that this is unlikely to ever change.

Details under the cut

Theory and practice


1. Hacker angry user registers a domain similar in spelling to the attacked domain.
2. Loads a script on it with such content in PHP



3. Writes an article, and embeds the picture in the post:

image

4. If there is moderation on the site, then sends the article for moderation.
5. For example, the article turned out to be good for him and it falls on the main page.
6. An angry person sees his brainchild on the main one and removes comments in PHP code, so in response to a request for a picture from a post, any user has a window in the browser with authorization, where anything can be written, for example, that the site is beating off DDoS attacks, and asks to re-enter the username and password.
7. Not an attentive user, does not read the domain name in the form of authorization and submit login and password.
8. An evil person receives your username and password, his goal is achieved.

Protection methods


I think there can be two sane methods:

  • At the browser level: a ban on issuing an authorization window from another site
  • At the level of site developers: Copying all remote resources to your hosting


PS

Habrahabr.ru is not an exception here, he has posts on the main page, with pictures from other resources. So it’s just worth keeping this trick in mind and always check the domain name requiring authorization before the letter.

And also there is always a potential danger that while the picture is on the main one, the site from which this picture is drawn can be hacked just to replace the picture with a script.

PPS

I do not consider this a bug.
This is nothing more than a trick that is officially allowed by the HTTP protocol.

Also popular now: