Browser phishing 'flaw' could hook users

A function built into all major browsers could be co-opted by attackers to fool Web site visitors into surrendering sensitive information, a security firm warned on Wednesday.

The issue, which security firm Secunia labeled a flaw, could allow a malicious Web site to refer visitors to a legitimate site--such as a bank's Web site--and then control the content displayed in a pop-up windows. The issue affects Microsoft's Internet Explorer, the Mozilla Foundation's Mozilla and Firefox browsers, Opera's browser, the open-source Konqueror browser and Apple Computer's Safari, the firm stated in advisories on its site.

"No browsers warn or check if the other site is allowed to change the content of the pop-up window," Thomas Kristensen, chief technology officer for Secunia, said in an e-mail to CNET News.com. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site."

Related feature
Have you been phished?

Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

The company has created demonstration that takes advantage of the flaw on its Web site. The example sends a user to Citibank's Web site, where clicking on the image opens a pop-up Window that is controlled by Secunia's program.

Microsoft said that the attack uses a legitimate feature of browsers to fool users.

"Our initial investigation has revealed that the report describes a by-design behavior in all popular web browsers that allows a website to open or re-use a window without displaying the address bar, which is a trust mechanism built into web browsers," the company said in a statement sent to CNET News.com.

Apple, the Mozilla Foundation and Opera could not immediately be reached for comment on the issue.

The hack of a legitimate feature is the latest security threat that could help phishers wrest identity information away from consumers. Last month, online intruders breached the security of at least one server at advertising host Falk and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site. Other flaws, together with mass e-mailing of links pointing to a malicious Web site, have been used to get aggressive advertising software, known as adware, installed on victim's computers.

Microsoft stressed that Windows XP users who have installed Service Pack 2 have some anti-phishing tools. Any window that asks for log-in, financial or personal information should be encrypted and display a lock icon in the status bar at the bottom of the window, Microsoft said in a statement.

"Some phishing cons have shown users a fake lock icon in a fake status bar at the bottom of the browser window," the statement said. "Internet Explorer in Windows XP SP2 will always show the real status bar so that users can detect a fake lock icon from a real one."

However, Secunia said that the browser makers miss the point. Most users won't notice small details like that if they believe they are at a legitimate site.

"The browser vendors fail to take into consideration the change of malicious activities on the Internet and the fact that security holes, which can be exploited to automatically install malicious code, isn't the only thing to be concerned about," Kristensen said.

Secunia advised Web surfers to have only one Window open when you browse sensitive sites such as banks and Web stores.

[Hopkins Programming]

Help in detecting Spoofed Websites

CoreStreet (<a class="jive-link-external" href="http://www.corestreet.com/" target="_newWindow">http://www.corestreet.com/</a>) offers a browser extension for both Mozilla's Firefox and Microsoft's Internet Explorer that can help the user to detect spoofed, or fake, websites. It is called "SpoofStick". You can download both versions from the SpoofStick website at <a class="jive-link-external" href="http://www.corestreet.com/spoofstick/" target="_newWindow">http://www.corestreet.com/spoofstick/</a>. It may not be a permanent fix, but it defintely helps! :)

Zero-Hour Phishing Blocker

SignupShield 3.0 (<a class="jive-link-external" href="http://www.protecteer.com" target="_newWindow">http://www.protecteer.com</a>) is a new desktop tool that intervenes when a user is about to submit a form containing sensitive information to a suspicious web site - allowing the user to abort.
It does not rely on black lists nor does it alert on a suspicious web site, if the user is not actually submitting sensitive information to that site.

[Ubber geek]

sensitive information

<a class="jive-link-external" href="http://www.analogstereo.com/chevrolet_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/chevrolet_owners_manual.htm</a>

[bahead]

Not quite accurate...

This story, and the Secunia advisory, is a bit misleading.

In order for this spoofing technique to work, you would have to first click on a link on the malicious web site that takes you to the trusted web site.

In other words, if you are visiting the malicious web site and you independently open a new browser window (or tab) to your trusted web site (say by using CTRL+N, this technique won't work. You have to actually click on a link on a malicious web site first, in order to activate the JavaScript code on the malicious web site that "hijacks" the pop-up window on the trusted web site.

B.

Safari

Ran their test on my Powerbook using Safari 1.2.4 with all
security updates installed and it is not affected. Ran with Firefox
1.0 and it is affected. Sure am glad I'm not a windoze user!

PS only use Firefox for testing...

[redherring79]

Same results here...

I got the same results you did. I tested this yesterday after I
read the article... and I mentioned it to the author of this story
and sent Secunia my results as well. But their website
specifically mentions Safari 1.2.4 as being affected. Perhaps it
is... but their test doesn't support that claim