Print this article  |  E-mail this article  |  Comment on this article

Phishing Exploit Affects Major Browsers

By David Worthington, BetaNews

June 21, 2005, 4:24 PM

Sometimes the argument over which browser is most secure is a moot point. Tuesday, Secunia Research posted an advisory on a secuirty flaw that affects all major Web browsers. The firm demonstrated how even a link to a 'trusted' Web site may not be as harmless as it may seem.

In its advisory, Secunia detailed how malicious users can exploit a vulnerability found in JavaScript to craft dialog boxes that pop up in front of the user's browser after the user navigates to a trusted Web site. This method can be used to obtain personally identifiable information, called phishing, by making it seem as if the dialog box was loaded by the target Web site.

The potential exploit affects users of Internet Explorer for both Windows and Mac OS X, Opera, Safari, iCab and all Mozilla-based variants including Mozilla, Firefox and Camino. Secunia has a live proof of concept on its Web site that may be used to test for the vulnerability.

"Secunia rated this as 'less critical'. I think that's about right - it's really just a little JavaScript hack that anyone could use to try to trick a user into entering sensitive information. This isn't so much a bug as a 'feature' that could be abused in a malicious way," said Andrew Jaquith, a Senior Analyst with Yankee Group.

"The broader issue here is that users need to be careful when supplying sensitive information to web sites. A suspicious pop-up window is just that - suspicious."

Vendors are preparing patches for their browsers.

Add a Comment (25 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By gyro14u

edited Jun 23, 2005 - 7:33 AM

A friend of mine some time ago suggested to make an anti-spam program that in effect returns the email to the spammer in multipls of over 1,000 so as to overlaod his/her mailbox.
Is there anything available so far?

Tony

Score: 0

By fewt

posted Jun 23, 2005 - 9:46 AM

Spammers never use a real email address, so you would be in effect creating a DOS attack against whomever you returned the mail to instead of fixing the problem, a tool like that would make it much worse (and it's also illegal).

Score: 0

By dahri

posted Jun 23, 2005 - 4:49 AM

what is this, i thought they're talking bout dialog box. but everybody are discussing pop-ups.

Score: 0

By drumcat

edited Jun 22, 2005 - 7:21 PM

I still challenge anyone to give a good reason that a program should be able to multiply itself. Flat out, I think there is no excuse. Being able to start another instance of a program is fundamentally a security flaw. Can anyone tell me otherwise?

The functionality of a pop-up should be eliminated at the API level.

Score: 0

By fewt

posted Jun 23, 2005 - 9:50 AM

There are many uses for code self replication, AI immediately comes to mind as a viable application. I recall experimenting with code self replication on a C64 15 or so years ago while working on a project where the code learned and grew rewriting it's own code as it learned so it didn't "forget". It never really went anywhere, but it was a wonderful example of a positive application of code replication.

Score: 0

By Kramy

edited Jun 23, 2005 - 4:29 AM

While you are correct, it is obvious you have never played a game with a strict firewall with 'system security'. Many(most) games I have start up by default in some menu when you double click them, and start themselves again when you click the 'Play' button from that menu. The difference being they start with some command line to actually start the game. The ability for a program to start itself or another program will not change. Most people wouldn't like having to select a link, press Ctrl+C, Ctrl+N, click the address bar and type Ctrl+V. Computer illiterate people would also not be able to figure out what the heck they need to do.

Still you point is valid, but I'd be more curious about what makes Macs secure rather than a feature that is just too convenient to get removed.

Score: 0

By sophist_dreams

edited Jun 22, 2005 - 1:57 PM

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. As usual Secunia is a day late and a dollar short with their yellow journalism. I am also beginning to think Beta News should do a little investigating before they post this crud.

Score: 0

By Mehtuus

edited Jun 22, 2005 - 1:09 PM

This is a non-existant problem for FireFox users with this extension [ http://www.noscript.net ]. Has been for some time...

NoScript provides extra protection for your Mozilla Firefox browser: this extension allows JavaScript execution only for trusted domains of your choice (e.g. your home-banking web site).

Score: 0

By sophist_dreams

edited Jun 23, 2005 - 12:21 PM

This extension is also available at the FF Themes and Extensions site. I would recomend that you use it.......on some pages I have visited as many as 55 java scripts have been caught and blocked by noscript.

Score: 0

By funcheung

edited Jun 22, 2005 - 9:51 AM

sick of all kinda so-called news:

"new security holes of XXX discovered".., where XX X can be anything ranging from the White House, credit cards, web browsers..

Score: 0

By cazzulati

edited Jun 22, 2005 - 7:28 AM

maxthon (ie-based browser, try it, it's really good) does the right thing and displays in clear the full url of the originating site, just under the prompt. if you bother to read it, well, you should be safe.

Score: 0

By reets

posted Jun 22, 2005 - 7:01 AM

Well, this doesn't seem too bad. People shouldn't give out their information anyways unless it's on the official site. Secunia has a link to test, if you middle-click the link and make it load in a new tab, the dialog asking for password doesn't even come up.

Score: 0

By Kramy

posted Jun 21, 2005 - 9:41 PM

Hmm...not a big problem. I always kill popups before they can load their pages, and I personally wouldn't be fooled by such a thing. I can see why this would be bad for the computer illiterate though.

Still, I think a bigger problem is the ability to crash windows from IE using some javascript. That'll have the illiterate really stumped.

Score: 0

By gawd21

posted Jun 21, 2005 - 9:31 PM

Shouldn't use the web in the first place.

Score: 0

By glenvdb

posted Jun 21, 2005 - 8:28 PM

They (the web browser companies, and the makers of javascript) should just write a patch that KILLS pop ups (mouse-overs etc) all together.NO body likes popups, only advertises and scammers use it.

Score: 0

By athome

posted Jun 22, 2005 - 10:17 AM

Java knows this and is now rewriting its code to allow vendors to serve ads through Java. More legitimately than ever before. They too want to jump on the ship of profitability. This was in one of the BetaNews articles about 1 1/2 months ago. Get rid of Java and Active-X.

Score: 0

By wincement

posted Jun 21, 2005 - 8:04 PM

What the? Try the test. All it does is open the javascript from a pop-under. Just watch what window you're in and you shouldn't have a problem.

Andrew Jaquith was right. It's not really a vulnerability. It's just that someone with ANY knowledge of javascript can use its features in a malicious way.

Score: 0

By athome

edited Jun 22, 2005 - 11:06 AM

it is not meant to trap those that are knowledgeable, but the millions of people out there that are not will just type in the information and continue on. I think it is selfish to only think of ourselves, though how unresponsible we may think that action be. It is deceitful, and I am sure that though someone in our field might or can be dooped into putting in information. We are all human, and for the most part too trusting.

We are not the ones that design webpages(not to say that no one here is). But more that we are not in control of how the webpage is developed, but we use them. We trust that we will not be dooped when we go to our bank site to get our account information that the site will be protected. I put in my username and password, but up pops a box and that box requests me to input it again due to an internal error. Without too much thinking at that point, we put it in, not knowing that a script was slipped in and now your information is given to someone else. You don't realize this, because you were allowed entry onto your bank site and got the information you desired. No need to call the bank or whomever to let them know.

We didn't know about phishing until the past year, though it has gone on for a while. Theives have become smarter with the web and it is easy for them to get what they want. IMO it is so silly to only blame the unknowing user of this mistake. Yes, they should be aware of the security risks and up to about 3 years ago, it was mainly the threat of a virus that could disable your system and having to take it in to Best Buy to have it removed. To some degree we only were concerned with others here in the US. But now it is much more global. It is now, your neighbor and the little old lady in Bosnia.

With the increase in vulnerabilites, we now have to question everything. Trust is gone. I enjoy doing online banking and some business. I not only have to worry about these phishing attempts, but the salesperson on the other end that may be giving my credit card information to his buddy. (I have had this happen) Is that my fault - he** no. We shouldn't accept that. Granted, some things are the fault of the user, but not in the context you have brought up here.

I took all the precautions, and was still dooped. I installed Spybot onto my machine way back, I set it up the way it instructed and it removed, what I thought was all the spyware from my computer. But I find out the hardway that, the developer was contacted by adware companies to not detect their software from the computer. His defintions held the iformation about these companies and identified them as adware, but set program up to not search for them(decietful whether free or not). Is it my fault that I buy a program that states it removes ads, but only competitor ad. Then servers more ads from their companies. No, I disagree. That is a misrepresentation of their product(false advertising) and they should be held liable. I don't expect Spybot or Adawae to know every ad or spy, but the ones they know should be removed. Knowingly withholding that information is wrong - IMO.

When it comes to the internet, big money is behind all of this. What were once trusted companies(Google, Spybot, Sun Micro(Java)) are now out for our business(money) and don't care how they do it. We keep blaming the wrong people. I am glad that browsers are doing their best to keep up with these demands and like the new securities that are developed. I only hope that these companies do not deceive us.

Score: 1

By drumcat

posted Jun 21, 2005 - 6:58 PM

"Vendors are preparing patches for their browsers."

How about operating in such a way that it's easy to turn off and on these things -- pop-ups shouldn't pop-up. Think about it another way... how many computer programs self propogate? I can think of 2 -- browsers and virii. Maybe we should be a little more concerned with the ability to propogate additional interfaces...it's a vulnerability known to most as a "feature".

Score: 0

By mjm01010101

posted Jun 21, 2005 - 5:57 PM

seems more critical to me. Say you commonly go to a site that requires you type text. This popup could intercept the text and you wouldn't even know it as you may not have been looking at the screen...

Score: 0

By gawd21

posted Jun 21, 2005 - 9:33 PM

Easy, learn to type.

Score: 0

By netwiz562

posted Jun 21, 2005 - 5:45 PM

Simple solution: all browser windows should have the source url visible and ceritifcate accessible.

Score: 0

By danigoldman

posted Jun 21, 2005 - 5:24 PM

Opera already fixed this with their latest version, Opera 8.01, last week.

Score: 0

By jshrk

posted Jun 22, 2005 - 10:17 AM

Yea i noticed that too, btw i see you have had the same problem as me with Opera 8 though, with the BetaNews page when you post a comment the page doesnt always load through, after accepting,e.g. hit post comment which sends message to the server but doesnt pick up the link to refresh the page, this resulting in lots of comments exactly the same being posted. Dont know why they havnt fixed it yet. Opera rocks though.
More on topic, this exlpoit isnt really and exlpoit at all, I have known about this for a long time, couldnt believe they had only just come out with this. Its not very much of a threat, most people encounter this type of situation with spyware, which will randomly bring up adverts on your pc what ever you are doing e.g. could be secure site. Let them make a fuss over it though, thats what securina does best.

Score: 0

By nate

posted Jun 22, 2005 - 12:03 PM

We will look into the Opera quirk. Could be something fixable on BetaNews.

Score: 0

Oct 13 - 6:52 PM ET BlackBerry flip phone now available on T-Mobile

Oct 13 - 6:39 PM ET No surprise: 'Windows 7' will be Windows 7

Oct 13 - 6:07 PM ET Columbus Day means tech stocks re-discover forward momentum

Oct 13 - 5:25 PM ET Mufin upends musical expectations for curious listeners

Oct 13 - 5:16 PM ET Everyone talk at once: .NET 4.0 will include Parallel Extensions

Oct 13 - 5:15 PM ET MySpace opens its user-created advertisement platform

Oct 13 - 5:11 PM ET FCC report opens the door for white spaces devices

Oct 13 - 1:03 PM ET Final Silverlight 2.0 to ship tomorrow

Oct 13 - 11:57 AM ET CBS goes after Hulu by aligning with YouTube

Oct 13 - 11:25 AM ET Microsoft finds published exploit of Vista privilege elevation hole