________________________________________________________________________________ Blue Adept's Notes On Zkey Exploit Zkey was an interesting exploit for two reasons. First, the site is SSL'd - served off a secure socket layer (medium-grade encryption key RC4-40) which encrypts data in transit and also also restricts the kinds of cross-site scripting techniques that can be used without alerting the user to suspicious activity. Secondly, the email service itself has filters in place to strip out malicious code from the body of email messages. But both security measures were surmountable. The big picture: wanted to send an email message that contained js code to another z-key account. when the recipient views the email message, the js code runs, and takes over the gui. From there, it's a matter of choosing 'how' to get at the recipient's sensitive data, not 'whether'. First tried sending some javascript code in
________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission.