Here is an interestig thought. What if you could chat with someone LIVE and infect him with a malicious script?
Well I thought its a nice idea in theory, untill I bumped into this:
Think of a malicious attacker that could of take advantage of this issue.
Here is the scenario:
Attacker side:
1. Open chat
2. Wait for the technitian to respond
3. Send him a malicious script that will capture the document.cookie with a link to your
website and hope for the best.
Technician side:
1. Getting another chat with some anonymous dude
2. Start chatting with him like his doing a 1000 times a day
3. Hmmm.... what is that link? I'm not familiar with security aspects... Let's click it /:
Conclusion:
The implications of capturing the Technician's cookie is analogous to an Administrator's one.
It could not have the same privileges, but it has to have privileges for accessing the system, or else how would he be talking to you.
That's a short one. Hope You enjoyed.
No comments:
Post a Comment