How a favicon delivered a web credit card skimmer to victims
-
Many e-Commerce sites use the Magneto platform designed to cater to business owners who wish to sell their services and products.
Now it has been discovered that the sites can be compromized by duplicating the original site and the site's "Favicon" injects malicious code to steal a buyer's credentials only at the Checkout Page.
For more information see the following article. -
@greybeard It's an interesting hack. Just shows that modern browsers are much too lenient in what they will allow, like full-size cross-domain iframes and javascript run from places where it should never run.
Then again, I don't really see the relevance of an "evil favicon", as they would be free to just add a script in their page and still run a full-size iframe, then check the location of that iframe to see if it was on a checkout page.
-
Ppafflick moved this topic from Security & Privacy on
