New Vulnerability Affects All Browsers 945
Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"
Sniff, our little browser's all grown up... (Score:2, Insightful)
Thank goodness we've found our first vulnerability in Firefox. Now we can move from the myth that free software is impervious to exploits, and into the reality that vulnerabilities are acknowleged and patched faster in most free software projects. Gentlemen, synchronize your watches. Will the Firefox team have a fix out before Microsoft even admits it's a bug?
Re:Sniff, our little browser's all grown up... (Score:5, Insightful)
Uh, who was saying that?
This sounds scary (Score:5, Funny)
Re:This sounds scary (Score:3, Interesting)
"Firefox prevented this site from openning 619 popup windows. Click here for options"
Is this Windows only or something?
Re:This sounds scary (Score:5, Funny)
Lynx support (Score:4, Funny)
Safari vulnerable if 'pop-up-blocking' is off (Score:4, Informative)
Re:Sniff, our little browser's all grown up... (Score:5, Insightful)
Re:Sniff, our little browser's all grown up... (Score:3, Insightful)
Re:Sniff, our little browser's all grown up... (Score:5, Informative)
BTW Javascript has nothing to do with Java except the name.
Not the first Firefox vulnerability (Score:5, Informative)
As far as I can tell the problem is fixed in the latest Opera beta so they might be able to get it into a proper release pretty soon too.
Re:Sniff, our little browser's all grown up... (Score:4, Funny)
Comment removed (Score:4, Insightful)
Comment removed (Score:4, Informative)
Re:Sniff, our little browser's all grown up... (Score:3, Insightful)
First? There have been plenty of other FireFox vulnerabilities in the past, however they have all been fixed extremely quickly once discovered (i.e. within a day or 2).
All software has security holes in it, get over it - the difference is that the Mozilla Foundation have a habit of fixing them as soon as they find out about them whereas Microsoft have a habit of waiting for many months before bothering to fix them even if they are being active
I don't get it (Score:2, Informative)
I refreshed the page, and tried the link that said 'Without Pop-up Blocker'. It opened up the Citibank website, but it did not hijack my Citibank popup window.
Same thing happened to me under IE6 (except I did not get the dialog when I clicked on the 'With Pop-up Blocker' link).
Maybe it works under certain circumstances, but I couldn't reproduce it.
Re:I don't get it (Score:2, Informative)
Re:I don't get it (Score:5, Informative)
And the exploit worked just 'fine' on my firefox 1.0.
Re:I don't get it (Score:5, Informative)
Re:I don't get it (Score:5, Informative)
I hope this helps the vast masses of smart
You know you've found a good exploit... (Score:4, Funny)
Re:I don't get it (Score:4, Informative)
The exploit worked for me on Firefox 1.0 on Windows 98 SE with pop-up blocking turned off, but the exploit didn't work for me when pop-up blocking was turned on.
I think I've solved it. (Score:5, Informative)
Middle-click to open citibank page in new tab YOU WILL NOT BE VULNERABLE.
Left click and allow citibank page to open in new window YOU WILL BE VULNERABLE.
At least, that's the behaviour I see on this box.
Re:I think I've solved it. (Score:3, Interesting)
Re:I don't get it (Score:4, Informative)
Re:I don't get it (Score:5, Informative)
under about:config, I have dom.disable_window_open_feature.location set to true. So every window must show the location (and because of it, I immediately could see the webpage I was at was not citibank.com).
Comment removed (Score:5, Informative)
Not all browsers (Score:2)
Anyone else have a build of firefox that wasn't really fooled?
All your typos... (Score:4, Funny)
And in other news, Slashdot is reported all about a new grammatical error in the headlines.
Reporting anyone?
Re:All your typos... (Score:4, Funny)
Not quite hijacking (Score:3, Interesting)
But if I used the link from Secunia [secunia.com] to access Citybank, the Popup is then hijacked.
So it seems like you need to access (click on a link to) your trusted site via an untrusted site to get hijacked?
Here's how it works (Score:5, Insightful)
So the attacker doesn't need you to click on anything, they just need you to have their site open -- with the timer going -- in another window. Also, the attacker needs to know in advance what name the victim site's pop-up is referenced by. A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.
Re:Here's how it works (Score:3, Insightful)
I doubt it. If any browser allows you to look at the DOM of a page from a different site, that is a far greater security hole than what they are demonstrating.
Re:Here's how it works (Score:3, Insightful)
Evil site A helpfully offers a link that opens Good site B. If a user clicks the link and opens Good site B, Evil site A waits for the user to open a predictably named popup from Good site B, then reaches down through the DOM (using code on Evil site A) and alters the URL of the popup, bouncing you to their Evil popup.
Big whoop -- this is permitted by Javascript's security model, you know -- the parent window "owns" the child window, thus it can access it and do weird things.
Re:A quick workaround for FF 1.0 (Score:3, Informative)
I would like to disable JavaScript entirely, but unfortunately that breaks too many pages.
no problem here... (Score:4, Informative)
Re:no problem here... (Score:4, Interesting)
We haven't heard from any Konqueror users yet (and the modem in my Linux box is broken so I can't check it myself). Is the immunity a khtml thing or was it Apple?
Re:no problem here... (Score:5, Informative)
Re:no problem here... (Score:4, Funny)
Re:no problem here... (Score:5, Informative)
Happy. (Score:2)
Well, that's one alert I'm safe from. Whew.
Demo don't work (Score:3, Funny)
It's called "Slashdotted" (Score:3, Funny)
Re:It's called "Slashdotted" (Score:3, Funny)
wait for 10,304,345 hits in the next five minutes as people post "x" in vulnerable "!X" is clear . .
server goes down
Profit!
Safari test (Score:5, Informative)
When I turned off the pop-up blocking feature, then when I tried the test, I did see a pop-up from the Secunia site instead of the Citibank text. Now that's a problem.
Clearly, this is just another reason to block pop-up windows.
Re:Safari test (Score:4, Insightful)
I can confirm this works when the "Block Pop-up Windows" in the Safari menu is disabled, but not when the Blocking option is enabled. Rather than just a "me too", I went through the demonstration in reverse order of the previous poster (and was careful to refresh and follow the appropriate links) so I don't think this behavior is due to caching issues.
While I do hope there will be a fix for this soon, IMHO, the more appropos fix is that secure sites should not EVER rely on popups.
Works for me (Score:3, Informative)
Re:Works for me (Score:3, Funny)
Security through server meltdown?
not irider (Score:3, Informative)
All browsers?!? (Score:4, Funny)
Re:All browsers?!? (Score:5, Funny)
I just don't believe it. Anything -- even an exploit -- working in all browsers would be unprecedented!
Lynx appears to be unaffected.
Nyeh (Score:4, Informative)
Of course it's a bug (Score:5, Insightful)
Site A should be able to create and interact with a window named "popup".
Site B should be able to create and interact with a window named "popup".
This should happen without either site interfering, blocking or overwriting the other. They should simply be invisible to each other, existing in completely seperate little worlds.
Re:Of course it's a bug (Score:5, Insightful)
Re:Of course it's a bug (Score:3, Informative)
Traditionally, windows weren't private to sites, but this is just a variation of the "cross-frame scripting" bugs that have been patched over time.
Re:Of course it's a bug (Score:3, Insightful)
Traditionally, windows weren't private to sites, but this is just a variation of the "cross-frame scripting" bugs that have been patched over time.
A stupifyingly dumb design decision in the first place. The above poster's namespace comment is dead on, and there is obviously no choice but to implement per-site namespace properly.
This design bug, however, is the fault of _all_ of us, for not reviewing the des
Re:Of course it's a bug (Score:3, Informative)
I did find this:
Referring to windows and frames [netscape.com] from the Netscape JavaScript handbook. It says nothing about window names being private.
So, pin this one on Netscape, and the lack of any formal open standard for what happens in a browser outside of the document.
Not so bad... (Score:3)
Comment removed (Score:3, Informative)
Re:Using Opera 7.54 (Score:3)
jack pot (Score:4, Funny)
Re:jack pot (Score:3, Funny)
Wow, did you get an email from Yassir Arafat's widow too? I'm still waiting for my cash transfer.
Once again, why needless use of Javascript is BAD! (Score:4, Insightful)
If web masters would stop NEEDLESSLY using Javascript to do things like open new windows, and would use it ONLY when there is no way using HTML to accomplish the same goal, then people would not need to have Javascript active all the time, and the impact of exploits like this would be greatly reduced.
If, instead of using <a href="#" onclick="foo"> or <a href="javascript(foo)"> type constructs, web designers would use <a target="_blank" href="something.html" onclick="javascript(stuff)"> type constructs, then if the user HAS Javascript active, then the web master can micromanage the newly created window. If not, then the user STILL gets a new window, just not one that the web master can remove all the chrome from.
Seriously - when was the last time you heard of an exploit that used straight HTML? All of the recent exploits in ALL browsers, IE included, have been in either Javascript or Active-X, not in the core HTML rendering.
There is a REASON for that.
Re:Once again, why needless use of Javascript is B (Score:5, Insightful)
Example: Sites that pop up their "main" window from their "entry tunnel." Exactly what justification do you have for thinking I still need to view your entry tunnel?
Example: (as mentioned,) sites that use Javascript to open windows. Granted, this practice came around before Opera/Mozilla introduced us to the wonders of tabbed browsing, but what's the point of pulling up a "diversionary" window and forcing the user to close it? Afraid they might not understand the concept of the "back" button?
Example: using flash/java/shockwave/etc to perform functions that could be handled in HTML, especially now that we have DHTML. I have trouble with understanding the argument "we will be more successful if we deny access to some percentage of the population."
etc etc etc.IMHO, this is a symptom of the problem where people assume "everyone else thinks / acts / behaves in the same way I do."
Re:Once again, why needless use of Javascript is B (Score:3, Informative)
Re:Once again, why needless use of Javascript is B (Score:5, Informative)
Yup. Check out Ian Hickson's "Sending XHTML as text/html Considered Harmful" [hixie.ch] for a quick primer on what most sites that do XHTML are doing wrong. Check out Evan Goer's list of "X-Philes" [goer.org] for a list of the very few sites which get it right, and his purge of sites from that list [goer.org] for an indication of how easy it is to go wrong even after you've initially gotten it right.
As for HTML generally not producing good markup and being "too loose", I hate to break it to you but XHTML 1.0 and HTML 4.01 are element-for-element identical; the only difference between the two is that one is an SGML application and one is an XML application. And when you serve XHTML 1.0 as "text/html" (e.g., when you do XHTML the way ESPN and others do) you don't gain any of the strictness benefits of XML. And the only thing XHTML 1.1 does on top of that is deprecate a couple more things and add modularization and ruby support, so I'm really not sure where all the "good markup" would come from in a transition to XHTML. Plus there's no reason to believe that serving XHTML 1.1 as "text/html" is conformant, so if you use 1.1 you either break the spec or you shut out IE. Likewise, switching to an XHTML DOCTYPE and using XML syntax doesn't magically confer accessibility on a page; it's just as easy to write a horrid, bloated, table-based images-for-everything page in XHTML as it is in HTML 4.01.
I suspect that you're making a common mistake among people who've just discovered web standards: you're confusing XHTML with good markup and best practices (check out Molly Holzschlag on what standards are and aren't [molly.com]). Anyway, it's quite possible to write beautiful, clean, accessible, semantically rich HTML 4.01 with separation of content from presentation; after all, it's got the same set of tags and attributes as XHTML 1.0, so if you can do it in one you can do it in the other just as easily. And when you consider that serving valid, well-formed XHTML according to the spec can be a nightmare at times, it's no surprise that even "gurus" of the standards world (e.g., Mark [diveintomark.org] Pilgrim [diveintomark.org], Anne [annevankesteren.nl] van [annevankesteren.nl] Kesteren [annevankesteren.nl]) have gone back to or recommended sticking with HTML 4.01 unless you really need one of the features gained by an XML-based HTML.
And lest you continue to think I'm some sort of skeptic or enemey of web standards, well, every site I've built in the past three years (basically, since I discovered there was such a thing as a "web standard") has been valid, accessible, and CSS-based. I just know from experience that valid markup and stylesheets are one part of the equation, and there are an awful lot of those "best practices" that aren't ever published in a spec from the W3C or anyone else.
Re:Once again, why needless use of Javascript is B (Score:4, Informative)
With scripting, you can make iFrames draggable, closeable and behave and look just like regular windows but they are, in essence, windows within a window and are tied closely to the current browser.
There are reasons to have popups like, for example, color or date pickers (with a calendar). It is actually much easier to build a draggable DIV than a draggable iFrame but the draggable DIV doesn't show up on top of certain HTML elements and hence becomes useless (even with an infinitely high z-index).
By the way, you can get draggable iFrames to work in both MSIE and Mozilla. I just bought my iMac for testing but I'm pretty sure I can get it to work in the mac versions too as they all have the necessary language and DHTML components. All I can say though is that JavaScript and DHTML are definitely vendor dependant, and I don't care if you are mozilla or Apple or Microsoft, they ALL have quirks and bugs that go outside of the specifications. In many ways, my high speed photoshop-style image scripting program (for use on web servers) was easier to write in C# than trying to figure out how to make things work across every browser out there!
Anyways, programmer alert. I wouldn't depend on popups working in the future if your app depends on it. Make sure to use iFrames or have a non popup dependant way of doing the same thing!
Re:Once again, why needless use of Javascript is B (Score:3, Insightful)
Yup. It further demonstrates why any financial institution that requires you to enable javascript in order to use their website should be deemed incompetent.
Re:Once again, why needless use of Javascript is B (Score:3, Informative)
OK, let's try something easier. I've got a table with many rows where each row contains two sets of radio buttons. When one of the radio buttons in the first set is selected, you shouldn't select an answer in the second set. Thus, I use Javascript to disable the second set of radio buttons when that particular option is chosen. Care to tell me how to do that using regular HTML?
Re:Once again, why needless use of Javascript is B (Score:3)
There you go. You've just shown your ignorance. For simple web pages I would agree, but this vulnerablility is for, and demonstrated in, a web application.
As other posters have pointed out, you cannot get some features of an application without using Javascript.
So, until the world starts using something like Webstart and downloadable, secure thick clients via the web, the browser is all that we have. Perhaps th
Re:Once again, why needless use of Javascript is B (Score:4, Insightful)
Just what I want.. a user posting 300 times before realizing that, yes, they must fill out the form. Think about something like Yahoo mail. I can go into a new message and if I forget to put in a To:, it will still post to the server and come back and say that I'm a moron. With JS verification, I would know instantly.
Obviously client-side verification shouldn't be used for passwords, but checking that a form is at least completely filled out is very helpful, both as a designer and a web user. Client side verification is practically instant and does not burden the server with incomplete requests. Of course, client side verification does not exempt you from having to perform server side verification.
Re:Once again, why needless use of Javascript is B (Score:3, Informative)
This excellent article on ALA [alistapart.com] should answer any pending questions on the issue.
BTW, the target attribute of anchors was dropped between XHTML 1.1 Transitional and XHTML 1
Re:Once again, why needless use of Javascript is B (Score:5, Informative)
1. 'target' is certainly part of standard html.
http://www.w3.org/TR/html4/present/frames.html#ad
Just because it isn't defined initially by the A tag doesn't mean the A tag can't use it.
2. From http://www.w3.org/TR/html4/types.html#type-frame-
PS. Hey mods, if you don't know about a subject, don't mark a post 'informative' just because there's a link in it.
Re:Once again, why needless use of Javascript is B (Score:3, Informative)
In strict, frames and target= are depricated
Re:Once again, why needless use of Javascript is B (Score:3, Informative)
The "target" attribute still exists in the Transitional and Frameset versions of HTML 4.01 and XHTML 1.0. XHTML 1.1 does not have a Transitional or a Frameset version; however, it is a modularization of XHTML which means that the same functionality can be easily re-introduced. For example, Jacques Distler has produced a page using the "target" attribute [utexas.edu] which is valid against an extended XHTML 1.1 DTD. This is one of the major selling points of XML-based markup and ha
Re:Once again, why needless use of Javascript is B (Score:3, Insightful)
Some little JavaScript projects I have done:
Bugzilla #273699 (Score:3, Informative)
Mozilla/Firefox Workaround (Score:5, Informative)
1. Enter about:config in the Location Bar.
2. Enter dom.disable_window_open_feature.location in the filter field.
3. Right-click (Ctrl+click on Mac OS) the preference option and choose Toggle (the value should change to true).
This issue is already being worked on bug 273699 [mozilla.org] (copy link location, paste) filed a few hours ago.
As a side note, being able to see the bug fixing progress unfold is one of the many reasons why i love open source. I am able to learn so much from just seeing the process take place from start to finish, how it is reported, test cases created, problems that arise, insights into other parts of the system, who the people involved are, reviews, patches, etc.
Re:Mozilla/Firefox Workaround (Score:5, Informative)
From the page:
"Note that, although the attack site can inject its own content, it cannot change the URL appearing in the Location Bar. Firefox and Mozilla have the ability to deny access to the Location Bar so all pop-up windows always have it."
Re:Mozilla/Firefox Workaround (Score:5, Insightful)
In general, it's always going to be possible if you are browsing sketchy and secure sites at the same time that the sketchy site might pop up some deceptive window, and if you are confused, and can't see the URL bar, you might think it came from the secure site, with or without this specific injection issue. Which is why this workaround out to be default behavior anyway (I HATE sites that try to hide my location bar and navigation toolbar, those bastards).
Anyway, the point is, yes the issue should be fixed, but if you applied the workaround, it makes the exploit essentially worthless to an adversary.
Results for Slackware 10, Konqueror, Mozilla (Score:3, Informative)
Slackware 10, Konqueror, and Mozilla 1.7.3.
Results with Konqueror: the popup did NOT point back at Secunia, it pointed at Citibank. Perhaps this is because I have Konqueror configured to open new windows in tabs and have "smart" popup blocking enabled. Would someone try and confirm this? If it is the issue, then we can block the vulnerability in Konqueror, at least.
In Mozilla, the popup trick worked. Bad Mozilla!
FYI
Re:UPDATE: Slackware 10, Konqueror, Mozilla 1.7.3 (Score:3, Interesting)
In Javascript, if (and only if) your web page opens a new window, it "owns" that window. In other words, you have access to the whole DOM in that window. You can step through the document object, alter things, and so forth. This is how things are supposed to work; it's what enables us to open new windows and interact with the user. For example, ma
Firefox 1.0 (Score:3, Interesting)
If I middleclick on the test page and *force* firefox to open the site in a new tab, the exploit fails.
I don't know enough to now if this is a limitation in the exploit or in how they've written the exploit, but it's odd and interesting
in my opinion there is a simple fix for this (Score:3, Interesting)
Well, why not make a new rule in javascript that would disallow any javascript code to access any popups that aren't a direct child of the current instance of the browser.
Basically what i mean is to have each window in it's own namespace and have the child window share said namespace. (I think one would have to not allow grandparents to access it either though).
so basically if two seperate windows open a window with target="name" then 2 windows are opened one for each instance and they have nothing to do with each other.
proxy
As of right now... (Score:4, Funny)
And this is a version of Firefox I installed approximately two weeks ago.
Vulnerability? For dyslexic octopii, maybe (Score:3, Interesting)
This strikes me as about as dangerous as the post-SP2 "Warning! If you copy and paste shit files from the net and click a few boxes, YOU COULD GET SPYWARE!".
For the record, I just nuked and reinstalled XP-Sp2 + hotfixes a few days ago (for once, not because it was fucked up, but my new raid0 array), so I have cherry IE6 and unextensioned-FireFox 1.
I tried several variations of the convoluted instructions, and could get no explicitly dangerous behavior. Mozilla didn't bat an eye, and IE once popped up a box saying "The script is trying to close this window, do you want to let it?" If I let it, then it opened the Citibank site in the window again.
Oooh, scary.
I'm sure there may be some actual, dangerous vulnerability here somewhere. But I've gotten better instructions from the japanese ASUS site, translated through google.
just say no to javascript (Score:3, Interesting)
For firefox or opera just turn it on when you absolutely need it and never forget to turn it off right away when you are done. For IE make use of the security zones to implement javascript whitelisting. That's what I do because with firefox and opera I often don't remember to turn it off again until I start getting annoying popups or worse.
Seems like more than half of these vulnerabilities that keep popping up make use of javascript. That last one with the online banking passwords was pretty scary and made me very glad that I browse with javascript off.
backwards on Firefox 1.0? (Score:3, Insightful)
Mixed risk (Score:3, Informative)
But I ran the tests, and here are my results:
Mac OSX 10.3.6
Safari 1.2.4 (v125.12) - Not affected according to test.
FireFox 1.0 (G4 optimized build) - Affected according to test
Camino 0.8.2+ - Affected according to test
All browsers have pop-up blocking enabled, and some sort of ad filtering (Pith Helmet, Ad Block, etc).
Your mileage WILL vary.
So... (Score:3, Funny)
Re:It doesn't affect Safari (Score:5, Informative)
After you have clicked on the link, you have to refresh the Secunia page, then it will work. It's kinda strange, but I guess it is a vulnerability. Kinda like walking back and forth through a bad neighborhood while counting your cash.
NarratorDan
Re:It doesn't affect Safari (Score:3, Insightful)
If so, then it's not "jumping through hoops", which makes Safari as vulnerable as any other browser.
Re:Doesn't work for me (Score:5, Informative)
In Internet Explorer I pressed "With popup-blocker" (Google Toolbar) and up came Citibank, then I pressed the Fraudulent E-Mail button, and up came CitiBanks popupwindow, first when I closed the popupwindow the "This was hijacked" window appeared (as if triggered by the window.onclose function) but that does not strike me as a gigantic security-hole.
Of course the issue in itself is scary, but I'm confident the Mozilla team will have a patch out in no time.
This should probably serve as a reminder to webmasters out there, that if you want users to trust content you provide in popup-windows eg. for creditcard payments, you should provide the address-bar, and if the creditcard processing takes place on another server, explain to the customer before he clicks "pay by creditcard" why the window will load from another server.
Re:Doesn't work for me (Score:3, Informative)
I did this, and Firefox 1.0 (linux) was vunerable. The site wasn't clear that the first site wasn't the vunerability, but links from a genuine site can be made vunerable.
Of course,
Re:Doesn't work for me (Score:3, Informative)
I'm also confident that this will be fixed soon but it's also not really a big issue for me because I do mostly tabbed browsing. It is very rarely that I open a new site in a seperate window anymore.
Re:Doesn't work for me (Score:5, Insightful)
I disagree. I think they have their moments. Such as displaying incidental information without interrupting the flow of something you're already doing (say, a help link in a wizard-style sequence of pages)
like everything else, popups are a tool which can be used or misused. Unfortunately they're mostly misused.
Re:I call bullshit!! (Score:5, Informative)
1) Send out a phishing expedition, asking people to log into their BofA account to update their account information. Make it look real official, and include a link that goes to "https://www.bankofamerica.com". The new window takes them to the real site, encrypted and everything.
2) Customers login and check their mailing address, or whatever.
3) Some percentage of them will leave their windows open for more than 10 minutes, at which point BofA sends their standard pop-up window warning about account inactivity and logout.
4) Hijack the pop-up window and do Something Nefarious, like initiate a funds transfer.
Now, this isn't a perfect example. But there are an untold number of different sites out there who use pop-ups for perfectly reasonable applications, and it would be trivial for some phisher to get people to go to those sites using his link.
The best thing to do is, for those sites who use pop-ups to communicate with their visitors, use some nonstandard form for naming those windows. Use the person's username, a random string, a DES hash with the first two characters of the day of the week as the salt and the time the page is first loaded as the string, whatever (no, don't use "whatever", that's just a figure of speech)'
Another clue for webmasters (Score:3, Insightful)
It's incredibly sad that pretty much every bank I've ever used doesn't think I might like to know that I'm really talking to their server when I use their web interface.
Re:Firefox 1.0 seems fine (Score:3, Interesting)
Re:Vulnerability? (Score:4, Insightful)
Has happened before.
Users may still have to click something, but they could easily be tricked into doing that. Most users aren't constantly vigilant and observant. If the compromised banner ad opened another window that looked like Citibank's site whilst you were using Citibank's site, you could fall for it - especially since Citibank does use pop-ups.