Hello, I was reading the "IE chromeless window vulnerabilities" thread and thought maybe I could add some proof of concept to this discussion. This very simple demo: http://www.systemintegra.com/ie-fullscreen/ shows how system password could be captured thanks to Internet Explorer working in full-screen mode. Certainly it could be more advanced and designed to detect the platform to show correct login window. It will work fine on the local network, however it has to be optimised for the Internet use - everything has to appear immediately and no download process can be visible. Best Regards, Marek Bialoglowy (ultor@systemintegra.com) - IT Security Researcher PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7
