lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 Apr 2005 22:06:35 +0100
From: "pak_ml" <pak_ml@...penworld.com>
To: "'Sara Togian'" <saratogian@...il.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Netflix Site may assist Phishing


Simple scan of UK banks will show that they are not the only one. HSBC is
the only bank where I could not find this kind of redirection...

Cheers

Pak76

-----Original Message-----
From: Sara Togian [mailto:saratogian@...il.com] 
Sent: 28 April 2005 14:48
To: bugtraq@...urityfocus.com; abuse@...flix.com
Subject: Netflix Site may assist Phishing

Hello,

Similar to the previously discussed issues with the eBay and Capital
One website, Netflix also has a redirect which can assist phishing.

https://www.netflix.com/redirect.jsp?target=http://dummy.site.com/ 

Or, it can be made even more obscure:

https://www.netflix.com/redirect.jsp?target=%68%74%74%70%3A%2F%2F%67%6F%6F%6
7%6C%65%2E%63%6F%6D%2F

I have not yet seen phishing emails to Netflix, but since they do have
credit card info, I can't see them not occuring at some point. In
either case, it's a major website with a silly issue. As well, it can
look even more valid as it is a link to a secure site.

History:

Netflix was notified on Wednesday April 20, 2005. I got a form letter
back, no other response, and the issue is still there.

I again tried Netflix on 4/25.  Customer Service response that the
email is being sent to the proper department. Issue still there.

4/28, I figured this was enough time for a fix or a response from the
"proper department" and reported the issue to BugTraq. Not fixed at
time of sending this.

Regards,
KM

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.4 - Release Date: 27/04/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.4 - Release Date: 27/04/2005

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ