Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.
The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.
According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.
To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.
Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.
Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.
Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.
"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.
Krogh also pointed out that Secunia had rated the vulnerability as "less critical."
"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.
You can never fix this problem at the browser level
Microsoft can investigate this problem all they want, and so can the rest of the browser builders in the world. I'm a web developer that can tell you that Javascript is very powerfull.
Javascript used in the fashion of phising can exploit any website because of the use of frames in Javascript. The ability to make a popup in from of a know good website is a Javascript frame issue, not a browser issue.
So here's the last of your 30k worth of advice.
Browsers are equivalent to the human brain reading a book, the browser mearly reads code created by poeple like me. The code in this case is Javascript that is created by a web developer, and then used to manipulate people into giving them information. As long as I can create frames in Javascript, I can continue to exploit this flaw.
As you mentioned Javascript is very powerful, the engine that runs Javscript is much powerful. The browser to which this engine belongs can be powerful. There is always a solution to every problem. I think security wise script engines can have the ability to stop script from a website interacting with scripts/DOM objects from other websites.
"Let's see...if we call an unimportant, almost-impossible-to-exploit bug 'unimportant,' no one will write about it. So let's work in the word 'critical'...'less critical.' Oooo...I like it!"
It can be annoying in that you will have to add the sites you trust to the extension but its as simple as clicking the popup blocker icon in the corner of the window and checkmark trust site. After about a week you will prob have most of your sites listed. Seriously this is the rough equivalent of a tactical nuke when it comes to popups.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
the rest of the browser builders in the world. I'm a web
developer that can tell you that Javascript is very powerfull.
Javascript used in the fashion of phising can exploit any website
because of the use of frames in Javascript. The ability to make a
popup in from of a know good website is a Javascript frame
issue, not a browser issue.
So here's the last of your 30k worth of advice.
Browsers are equivalent to the human brain reading a book, the
browser mearly reads code created by poeple like me. The code
in this case is Javascript that is created by a web developer, and
then used to manipulate people into giving them information. As
long as I can create frames in Javascript, I can continue to
exploit this flaw.
"Let's see...if we call an unimportant, almost-impossible-to-exploit bug 'unimportant,' no one will write about it. So let's work in the word 'critical'...'less critical.' Oooo...I like it!"
Details:
<a class="jive-link-external" href="http://weblogs.mozillazine.org/asa/archives/007860.html" target="_newWindow">http://weblogs.mozillazine.org/asa/archives/007860.html</a>
<a class="jive-link-external" href="http://ftp.mozilla.org/pub/mozilla....ntal/popupsdie/" target="_newWindow">http://ftp.mozilla.org/pub/mozilla....ntal/popupsdie/</a>
It can be annoying in that you will have to add the sites you trust to the extension but its as simple as clicking the popup blocker icon in the corner of the window and checkmark trust site. After about a week you will prob have most of your sites listed. Seriously this is the rough equivalent of a tactical nuke when it comes to popups.