New Vulnerability Affects All Browsers 945
Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"
Not quite hijacking (Score:3, Interesting)
But if I used the link from Secunia [secunia.com] to access Citybank, the Popup is then hijacked.
So it seems like you need to access (click on a link to) your trusted site via an untrusted site to get hijacked?
Re:Sniff, our little browser's all grown up... (Score:2, Interesting)
Mozilla, being an organization that develops an application collectively, falls prey to committee thinking. If enough people can shout you down on Bugzilla, your opinions don't matter and you get disillusioned.
The only worse part is that IE eliminates the middle man: bug reports to Microsoft are almost always met with silence instead of Mozilla's "Marked as DUPLICATE of a WONTFIX bug" responses.
Re:no problem here... (Score:4, Interesting)
We haven't heard from any Konqueror users yet (and the modem in my Linux box is broken so I can't check it myself). Is the immunity a khtml thing or was it Apple?
It's the cookies (Score:2, Interesting)
I followed the appropriate links allowing cookies to be placed by citibank. The window was indeed hijacked.
I then followed the same links but this time not allowing citibank to place any cookies. The window was not hi-jacked.
Be aware of what/who is placing cookies on your machine!
Re:Sniff, our little browser's all grown up... (Score:2, Interesting)
on firefox.
in gentoo.
going between pages on slashdot.
wtf?
Does this affect secure browser sessions? (Score:1, Interesting)
If they can hijack encrypted windows, then it's a big problem. If they can't, it's no big deal. Anybody can intercept an unencrypted session; this exploit is just one more method to do so.
Firefox 1.0 (Score:3, Interesting)
If I middleclick on the test page and *force* firefox to open the site in a new tab, the exploit fails.
I don't know enough to now if this is a limitation in the exploit or in how they've written the exploit, but it's odd and interesting
Re:Firefox 1.0 seems fine (Score:3, Interesting)
Re:UPDATE: Slackware 10, Konqueror, Mozilla 1.7.3 (Score:3, Interesting)
In Javascript, if (and only if) your web page opens a new window, it "owns" that window. In other words, you have access to the whole DOM in that window. You can step through the document object, alter things, and so forth. This is how things are supposed to work; it's what enables us to open new windows and interact with the user. For example, maybe you want to pop up a window, ask a couple of questions, get the results, and close the window. Something I did recently at work was code an informational popup this way, because we had to kind of shock the user a little, to prevent them from just clicking "OK" to close all the alerts we were sending them. We made the popup very pretty and noticeable. OK?
So, the guys at Secunia decided that was a vulnerability and they set up this little test to scare everybody. So...
IF you went to a crooked website, and IF you clicked a link to pop up a site like Citibanks FROM THE CROOKED WEBSITE, and IF you went about your business on Citibank's site and clicked their crooked CSS overlay or popup (or whatever, you can probably do it in a couple of ways) THEN and ONLY THEN would you be sent to a crooked popup window with which they could phish you.
In other words, in order to really make use of this, a phisher would have to:
1. Get his code onto an actual commercial website so that people would find it and unsuspectingly click a banking link;
2. Evade capture for long enough to collect a bunch of credit card numbers (or whatever), with the commercial site's security team coming after him with knives sharpened;
3. Avoid having the crooked popup's web URL or IP address traced back to him by the FBI or Interpol within a day or so;
4. Figure out a way around the bank (or whatever) putting a huge banner on their site saying in bright red flashing letters "DO NOT APPROACH THIS SITE VIA A WEB LINK! TYPE THE SITE ADDRESS IN YOU SCHMUCK!" (or just putting a parent.close(); line of code in their existing Javascript, plus some code to refresh the page from the bank's server, clearing out anything from the crooked site -- would this work? I haven't tested it yet -- but I'm sure there are other ways to do it and the bank's developers are smarter than phishers, generally).
BUT, even if the phisher DOES figure all this out, it won't do him any good, because
WHEN PEOPLE GO TO THEIR BANK'S WEBSITE, THEY USUALLY JUST TYPE IN THE URL OR USE A BOOKMARK!
So, in short, I think this is nothing much to worry about.
Discuss!
in my opinion there is a simple fix for this (Score:3, Interesting)
Well, why not make a new rule in javascript that would disallow any javascript code to access any popups that aren't a direct child of the current instance of the browser.
Basically what i mean is to have each window in it's own namespace and have the child window share said namespace. (I think one would have to not allow grandparents to access it either though).
so basically if two seperate windows open a window with target="name" then 2 windows are opened one for each instance and they have nothing to do with each other.
proxy
Vulnerability? For dyslexic octopii, maybe (Score:3, Interesting)
This strikes me as about as dangerous as the post-SP2 "Warning! If you copy and paste shit files from the net and click a few boxes, YOU COULD GET SPYWARE!".
For the record, I just nuked and reinstalled XP-Sp2 + hotfixes a few days ago (for once, not because it was fucked up, but my new raid0 array), so I have cherry IE6 and unextensioned-FireFox 1.
I tried several variations of the convoluted instructions, and could get no explicitly dangerous behavior. Mozilla didn't bat an eye, and IE once popped up a box saying "The script is trying to close this window, do you want to let it?" If I let it, then it opened the Citibank site in the window again.
Oooh, scary.
I'm sure there may be some actual, dangerous vulnerability here somewhere. But I've gotten better instructions from the japanese ASUS site, translated through google.
just say no to javascript (Score:3, Interesting)
For firefox or opera just turn it on when you absolutely need it and never forget to turn it off right away when you are done. For IE make use of the security zones to implement javascript whitelisting. That's what I do because with firefox and opera I often don't remember to turn it off again until I start getting annoying popups or worse.
Seems like more than half of these vulnerabilities that keep popping up make use of javascript. That last one with the online banking passwords was pretty scary and made me very glad that I browse with javascript off.
Re:This sounds scary (Score:3, Interesting)
"Firefox prevented this site from openning 619 popup windows. Click here for options"
Is this Windows only or something?
Re:Doesn't work for me (Score:1, Interesting)
It appears to not work under Firefox 1.0 if the default pop-up blocking is enabled (even if you do the one designed to work with pop-up blocking). This is probably because the hijacking pop-up of Securnia is blocked from opening and replacing the Citibank pop-up.
Allowing pop-ups from Securnia allows this hijack to work in Firefox.
Smile (online bank) doesnt trust popups (Score:2, Interesting)
just another reason to switch to http://www.smile.co.uk/ [smile.co.uk]
I dont work there, just a very happy customer.
ALL browsers? I think not! (Score:2, Interesting)
Re:Sniff, our little browser's all grown up... (Score:2, Interesting)
Take a look at the source of the demonstration page. This is not a bug in Firefox/IE/Mozilla/etc. This is a vulnerability due to Java being able to hijack a window if the name is known. That is why it effects all browsers. I don't see how any browser maker can fix this. If I was to bet money, I would probably say that they won't. However There is a simple fix, disable java scripts in your browser of choice. No java scripts running, no exploit.
Re:I think I've solved it. (Score:3, Interesting)