Phishing using data from VK / Facebook
Just yesterday, a post about phishing in Gmail was published and in one of the comments @Chickey wrote
Yes, I myself came across this:
')
Actually, the first thing I thought was, is the VK API really just appending its blocks through JS? From this block the necessary data is pulled out and substituted in the form of phishing? So ... we can log all users who visit our site and who are in VC? .. Nonsense (although the first thing I thought was my account increased?).
Immediately inspected similar items, looked, there is a cross-domain iframe. Through JS, we cannot get frame data, since we are faced with the Same Origin Policy.
While thinking, I decided to load the phishing page via ctrl + shift + N and in the end I received not my own page, but the curve-oblique authorization form in VK. So, a phishing page using CSS simply draws over its blocks, which partially overlap the widgets / login forms of VKontakte.
In just a few minutes, the PoC phishing was crooked:
It should look something like this:
In contact with
Facebook
Actually, what was required to prove.
So do not worry if you see the data of your accounts on any banner. There is no access without your permission to the account data, all this is just a CSS trick. This is not a bug, this is a feature.
Yes, I myself came across this:
')
Actually, the first thing I thought was, is the VK API really just appending its blocks through JS? From this block the necessary data is pulled out and substituted in the form of phishing? So ... we can log all users who visit our site and who are in VC? .. Nonsense (although the first thing I thought was my account increased?).
Immediately inspected similar items, looked, there is a cross-domain iframe. Through JS, we cannot get frame data, since we are faced with the Same Origin Policy.
While thinking, I decided to load the phishing page via ctrl + shift + N and in the end I received not my own page, but the curve-oblique authorization form in VK. So, a phishing page using CSS simply draws over its blocks, which partially overlap the widgets / login forms of VKontakte.
In just a few minutes, the PoC phishing was crooked:
sergeybelove.ru/tools/socialnets-phishing/vk.php- VKontakte (there are no demonstrations anymore, VK is blocking an application attached to the widget)- sergeybelove.ru/tools/socialnets-phishing/fb.php - Facebook
It should look something like this:
In contact with
Actually, what was required to prove.
So do not worry if you see the data of your accounts on any banner. There is no access without your permission to the account data, all this is just a CSS trick. This is not a bug, this is a feature.
Source: https://habr.com/ru/post/167873/
All Articles