[Pkg-kde-bugs-fwd] [Bug 96020] HTML Allows Spoofing of Emails Content
Dirk Mueller
96020@bugs.kde.org
25 Apr 2005 00:03:14 -0000
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
http://bugs.kde.org/show_bug.cgi?id=96020
------- Additional Comments From mueller kde org 2005-04-25 02:03 -------
it does affect kmail 3.4 the same way it affected all older versions. however, this proof of concept is pretty lame. it doesn't match the colors, the fonts or even the font sizes. of course you could theoretically tune for that.
it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty huge
warning if you still enable it.
anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.
the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.
so I'd either close it as wontfix or as duplicate, whatever you prefer.