Web Spoofing is a security attack that allows an adversary to observe and
modify all web pages sent to the victim's machine, and observe all
information entered into forms by the victim. Web Spoofing works on both
of the major browsers and is not prevented by "secure" connections.
The attacker can observe and modify all web pages and form submissions, even
when the browser's "secure connection" indicator is lit. The user sees
no indication that anything is wrong.
works in two parts. First, the attacker causes a browser window
to be created on the victim's machine, with some of the normal status and menu
information replaced by identical-looking components supplied by the attacker.
Then, the attacker causes all Web pages destined for the victim's machine to
be routed through the attacker's server. On the attacker's server, the pages
are rewritten in such a way that their appearance does not change at all, but
any actions taken by the victim (such as clicking on a link) would be logged
by the attacker. In addition, any attempt by the victim to load a new page
would cause the newly-loaded page to be routed through the attacker's server,
so the attack would continue on the new page.
The attack is initiated when the victim visits a malicious Web page, or
receives a malicious email message (if the victim uses an HTML-enabled
We have implemented a demonstration of the Web Spoofing attack and have
shown the demo live at the Internet World conference and on MSNBC television.
Although the implementation is not trivial, it is well within the means of a
single dedicated programmer.
Current browsers do not prevent Web Spoofing, and there seems to be little
movement in the direction of addressing this problem. We believe that
there can be no secure electronic commerce on the Web until the Web Spoofing
vulnerability has been addressed.
Many false claims have been made about Web Spoofing, and some people who
make public statements about Web Spoofing do not understand the full scope
of the problem. If you want to understand Web Spoofing, please read our paper
on the topic. We worked hard to make it accessible to non-experts.
For more information, see our
on this topic.