Re: [Very OT] IIS Basic Authentication can be used for phishing

[William Ballard <nospam_40811@alltel.net>]

On Wed, Nov 10, 2004 at 08:27:41PM +0800, Robert Vangel wrote:
> That may be so, but isn't it the fact that IE gives the credentials of 
> the currently logged on user straight away, not defaulting to asking for 
> a username and pass first.

Right.  I asked the question wrongly at first.  It's IE, not IIS or 
Apache, who seems to be vulnerable to a phishing attack.

It surely seems like a huge attack surface.  IE hands out your username 
and password, all anybody has to do is ask!  Of course you have to hit 
OK, but if you didn't know what you were doing, you might hit okay.

Also it seems like IE might silently attempt to hand it out before it 
prompts you with that dialog.  But, even if that's not the case, a dumb 
user might be phished into hitting okay.

Will test this when I get some more time.