Friday, December 10. 2004
Almost All Browsers Vulnerable
Take a look at the image here. This is a demonstration from Secunia of a Windows injection vulnerability that affects most browsers.The site loaded was the real Citibank website. There's a button on the site that pops up information about phishing schemes. However, Secunia was able to send me to the Citibank site in such a way that when I clicked on the legitimate button, I got a Secunia page instead.
This would fool anyone. The only way to keep yourself safe from this attack is to make sure you NEVER follow a link.
How does it work? The Citibank site opens the pop-up, as usual. The attacking website looks for the popup window's "handle" to appear, then immediately hijacks the window and displays it's own content - which, of course, could be the exact form you are expecting, but submitting to the attacker instead.
More information here:
There are other demonstrations of similar vulnerabilities on the Secunia site, but this one was the only one that Firefox was COMPLETELY vulnerable to. The other vulnerabilities have to do with stealing information from dialog boxes like the one shown here and even form fields on other websites. Firefox was moderately vulnerable to the dialog box hack - at least it kept switching back to the attacker's website instead of staying on the victim site. I couldn't get the form field hack to work in Firefox.
IE is vulnerable to all 3 attacks.
Opera and Safari are vulnerable to at least 2 of the attacks.
Firefox/Mozilla are vulnerable to 1 completely and 1 somewhat.
The Deepnet Explorer isn't vulnerable to any of them. And believe me, they're telling the world about it.
Trackbacks
Trackback specific URI for this entry
No Trackbacks