Phishers could exploit a vulnerability in several popular Web browsers, according to a report from security research firm Secunia. The flaw would allow cybercriminals to steal personal information from its victims.
Specifically, malicious Web sites could spoof pop-up boxes in Internet Explorer for both Mac and Windows, Opera, Safari, iCab, Mozilla, Firefox and Camino browsers.
“The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open — for example, a prompt dialog box that appears to be from a trusted site,” said the Secunia alert.
Secunia said successful exploitation normally requires that a user be tricked into opening a link from a malicious Web site, thinking it belongs to a trusted Web site. The firm warned users not to browse sites they are not familiar with while browsing trusted Web sites at the same time.
Warning Users
Microsoft launched its own investigation about the phishing method that affects its browsers and those of its competitors. Microsoft Security Advisory 902333 said customers who already follow its general guidelines about avoiding spoofing and phishing attacks are at a reduced risk of being affected by this issue.
“If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site’s certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box,” the Microsoft advisory said.
The new vulnerability also affects the open-source Firefox 1.0.5. The new browser is in its final testing stages. Mozilla’s blog reported the Firefox 1.0.5 release is in the “not too distant future.”
Mozilla did not return calls seeking comment on its planned response to the pop-up flaw; however, the organization did develop a patch last April that allows users to block Java- and Flash-based pop-ups that don’t come from trusted sites.
Impact on E-Commerce
Jupiter Research analyst Joe Wilcox told TechNewsWorld that if online consumers had good surfing habits, then vulnerabilities like this one wouldn’t be much of an issue. “The bottom line is if anything pops up while you are on the Web and you didn’t initiate the action, close that window,” he said. “It’s as simple as that.”
Of course, he added, that doesn’t mean companies shouldn’t try to prevent the problem. “Obviously the vendors should try to protect the users of their products as much as possible. If something like this pops up, then they should take it seriously,” Wilcox said.
Analysts said pop-up blockers and patches that address JavaScript pop-ups might not sit well with some e-commerce sites. One way for a legitimate site to get around the pop-up blockers has been to use JavaScript or Flash to launch ads.
“This could create a problem for sites that still want to offer what they consider to be legitimate advertising,” Wilcox said. “The bottom line is that any pop-up ad that you don’t initiate is cause for concern, even if it’s at a trusted site.”
Testing for Vulnerabilities
Secunia has developed a test for consumers to discover whether or not their browser is vulnerable. The demonstration will open the Google.com Web site.
After a while, a JavaScript dialog will be displayed in front of the Google.com Web site. Consumers are vulnerable if a JavaScript dialog box appears in front of the Google.com site without displaying information about its origin.