RETURN $ecure;

Security, Technology and Life

Posts Tagged ‘cross site rant forgeries

CSRF ramblings

with one comment

I was reading over this post by Robert Hansen of SecTheory just after reading a post of mine about Opera phone integration. It got me to thinking, specifically this part.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

That would be some damn interesting CSRF. Take control over the browser and force the loading of the phones calling directive(e.g. callto://). You could get a person to call your costly line while they are browsing the net. Use caller ID and add them to some sort of calling list. If the phone and browser are integrated enough, perhaps even steal some other data like contacts or service provider, or even their phone number if they have their number privately listed.

As if I needed another reason to hate phones.

Written by Rodney G

02/18/2008 at 7:41 pm