|
rather sit in the streets, with my guitar, and busk,
than be a volunteer, for a neural implant from Musk
they may be able to make a happy pig dance, shaking,
but, i'd rather have a steady snout, to enjoy bacon
«One day it will have to be officially admitted that what we have christened reality is an even greater illusion than the world of dreams.» Salvador Dali
|
|
|
|
|
There once was a greyhound named Bacchus[^],
Whose zoomies were really quite raucous,
But with his great snout,
He put on a sad pout,
For empty the treat box is.
Software Zen: delete this;
|
|
|
|
|
Merging biology with machines has never ended well in the movies.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
|
Speak for yourself
«One day it will have to be officially admitted that what we have christened reality is an even greater illusion than the world of dreams.» Salvador Dali
|
|
|
|
|
The Matrix exist ?
Patrice
“Everything should be made as simple as possible, but no simpler.” Albert Einstein
|
|
|
|
|
|
Andy Capp, celebrating drunkenness for...how many decades now?
I'm no SJW or some sort of revisionist...but I just never found the cartoon to be any particularly appealing.
|
|
|
|
|
I received a phishing email that's pretending to be from my cable provider.
However, the link they want me to click leads to the provider's legitimate domain!
it is https://www.xfinity.com
I can't understand how they are expecting to catch me if I go to Comcast's domain?
Does anyone have an idea?
EDIT:
I went into Windows Sandbox and went to the link. And it redirected me to a completely different domain - the scammer's domain!
How did it do that?
FURTHER EDIT:
OK I figured it out. This is the complete scam link:
https://www.xfinity.com/learn/signin-cima?code=0.ac.jHKtzD&state=aHR0cHM6Ly9mZWVsbGl4cy5jb20vP2Jz
You might notice that it very well hides the actual target domain name. That is ".ac" for the Ascension Islands.
I can see many people being fooled by this when they hover over the link in the email.
The difficult we do right away...
...the impossible takes slightly longer.
modified 29-Aug-20 21:02pm.
|
|
|
|
|
So there's something in the signin-cima page that interprets the "code" and "state" parameters?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Maybe I'm wrong. What do you think is the reason that that link leads to a totally different domain?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
I am very curious about this. Either it is an inside job, or domain resolution works far differently than I imagined.
|
|
|
|
|
|
Yep, it could be a really poorly created website that redirects based on the header.
Massive tsk tsk if that is the case.
Alternatively some 'clever' person has managed to post some sort of cross site scripting in their own personal details, having an account with the company, and somehow the state parameter causes the unintentional execution of the script leading to the redirect.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
modified 30-Aug-20 3:04am.
|
|
|
|
|
Thanks for sharing it (also investigating on how) -
Also, this also tells that somehow your email was leaked from your cable operator office.
|
|
|
|
|
Sandeep Mewara wrote: somehow your email was leaked from your cable operator office. Not necessarily. Spammers send emails to everyone they can.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Probably a coincidence then spammers used that cable website and OP happens to have that connection.
|
|
|
|
|
It seems that the server side is taken over, or it is an inside job...
That page is not part of the UI, and returns differently on every combination of parameters...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
It could just a loophole in their security - it may be that someone, who has an account with the company, has posted a cross site script in a field on their account which causes the site to redirect when the state variable, passed in the header, is parsed.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Of course... What made me think of a inside-job, is that this page (address) is can not be revealed scanning the site... it is a page should be only know to someone who saw the server...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
It would certainly be interesting to find out what is going on.
I navigated to the /learn/signin-cima page which then loads a blank page.
(CIMA could be the Chartered Institute of Management Accountants)
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: I navigated to the /learn/signin-cima page which then loads a blank page.
I played with the parameters, and found that the value of code is irrelevant (but must be present), while state not only have to be there, but also have to have that exact value to do the actual redirection...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
The state value is 32 bytes long so I am going to take a guess that it is a 32 byte hash.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Nope,
It is just a coincidence that the state string length is 32 bytes long. It's simply a UTF-8 base64 encoded URL being passed to a CGI script. With a little investigating I see that you can pass any URL to the script and it will send back a location header redirecting the browser.
This will redirect you back to codeproject.com:
https://www.xfinity.com/learn/signin-cima?code=0.ac.jHKtzD&state=aHR0cHM6Ly93d3cuY29kZXByb2plY3QuY29t
This should be reported to Security Vulnerability Report[^]
Best Wishes,
-David Delaune
|
|
|
|
|
Randor wrote: It's simply a UTF-8 base64 encoded URL being passed to a CGI script
That's explain why randomly changing state , was useless...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|