Vulnerability allows scammers to hijack pop-ups

[barney_rebel]

 

Vulnerability allows scammers to hijack pop-ups

The flaw, yet to be exploited, affects most Web browsers

 

 

News Story by Scarlet Pruitt

 

 

 

DECEMBER 09, 2004 (IDG NEWS SERVICE) - Security researchers warned this week of a vulnerability in most Web browsers that could allow scammers to launch phishing attacks from pop-up windows on trusted Web sites.

The vulnerability arises when an Internet user opens browser windows for both a legitimate Web site and a malicious site at the same time. Because of an old functionality that exists in most browsers, the malicious site can display information in a pop-up window from the trusted site, according to Secunia Research.

 

The vulnerability has yet to be exploited, but it could present a very effective method for launching online fraud scams, often known as phishing, Secunia Chief Technology Officer Thomas Kristensen said today.

 

While most users do not intentionally visit malicious Web sites, they often stumble upon them by following links, making it relatively common for Net surfers to have browser windows open for both legitimate and malicious sites at the same time, he said.

 

The vulnerability could be particularly dangerous if exploited to display misleading information on a pop-up window from a legitimate bank Web site, for example, Kristensen warned. Even if savvy users check for the yellow "lock" icon on a Web site, signifying encryption, the pop-up could still display content from the malicious site.

 

"This could be a surprisingly effective way to seduce or trick people into doing something," Kristensen said.

 

The vulnerabilityaffects almost all browsers on different operating systems, including Internet Explorer, Mozilla, Firefox, Opera, Konqueror, Safari and Netscape, the researcher said.

 

Copenhagen-based Secunia went public with its warning yesterday, after saying that it had alerted browser vendors of the vulnerability months ago.

 

Microsoft said today that it has investigated the report and added that customers who use Windows XP SP2 and follow its advice on spoofing attacks are at a reduced risk.

 

The functionality described in the report allows a Web site to open or reuse a window without displaying the address bar. However, SP2 users will see a status bar in the pop-up window, allowing them to look for the yellow lock icon and confirm that the site is valid, Microsoft said.

 

Opera has also included measures to mitigate the vulnerability in the latest beta version of its software, Kristensen said.

 

He acknowledged that by going public with the warning, he was also alerting Internet scammers to a new opportunity, but said that he felt the public should be aware of the threat since not all browser vendors had been responsive. "We thought it would be better to openly talk about this, and we are giving advice on how to mitigate it," Kristensen said.

 

 

http://www.computerworld.com/securitytopic...?from=homeheads

[furie]

but safari suppresses pop-ups automaticly. if you don't get pop ups, how can they be hacked?

[1-0-0-1-0-0-1]

My Mozilla Firefox browser blocks pop-ups, too.

[furie]

how is firefox?

[Digital Man]

QUOTE (furie @ Dec 9 2004, 01:34 PM)

but safari suppresses pop-ups automaticly. if you don't get pop ups, how can they be hacked?

I haven't researched this yet, but...It sounds like the bad pop-ups make themselves look like they are from the original trusted site. Therefore the popup blockers (stopzilla, safari, mozilla) people install may not stop the bad pop-ups from "popping-up". The pop-up stoppers use an update file similar to the ones used by anti-virus software. They only block from sites they know are bad, they read something called a blacklist of known malicious sites.

 

Win XP runing sp2 can be configured to block pop-ups period. It doesn't rely on a "black list" it just stops all of them, that is why is the article mentioned that particular configuration being "less" vulnerable.

 

I had alot of isuues with pop-ups & viruses this summer. I now run Win XP pro with sp2, stopzilla & spy sweeper with Norton checking for viruses. It has kept my pc very clean. You just have to remember to run the update utilities every day or two. They only take 2-3 minutes if you keep up with them.

 

Hope this helps.

[Snowdog]

QUOTE (furie @ Dec 9 2004, 08:44 PM)

how is firefox?

switched a couple of months ago.