Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

19 of 397 comments (clear)

  1. Dupe, or just not fixed yet? by KlaymenDK · · Score: 2, Informative

    Isn't this a dupe from half a year ago?

    Too bad if it's just a symptom of the problem(s) just not being fixed yet...

    --
    "Good news, everyone!"
  2. If someone is foolish enough to log in via pop-ups by schestowitz · · Score: 1, Informative

    ...then perhaps the flaw is in the user.

    Very few sites, if any, will use JavaScript/child windows to request details. While I agree that some people are unaware of that, they probably ought to stay away from malicious sites to begin with.

    --
    My Linux - (L)ove (I)s (N)ever (U)tterly eXPensive
  3. NoScript by erykjj · · Score: 2, Informative

    That's why I use NoScript with my Firefox.

  4. Re:Oh I know by CdBee · · Score: 5, Informative

    Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  5. Re:It's not a flaw according to MS... by LiquidCoooled · · Score: 2, Informative

    The REAL banking page is onscreen.

    Popup message box says (something like):
    "MyBank Security Timeout occured. Please reenter your account details in the following screen".
    OK/CANCEL

    user clicks ok and mysterious screen pops over looking like their real screen and hey-presto, you've been phished!

    --
    liqbase :: faster than paper
  6. Stop Firefox or Mozilla from hiding location by greed · · Score: 5, Informative
    Firefox and Mozilla, and probably any other Gecko-based browsers, have a way of disabling the disabling of various UI elements when JavaScript opens a window. I found this in another Slashdot thread last year, but forgot which one.

    Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.

    Key in dom.disable_window_open_feature as a filter.

    Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)

    Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.

    Now the location will be visible in any pop-up window.

    So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.

    1. Re:Stop Firefox or Mozilla from hiding location by Q2Serpent · · Score: 2, Informative

      This is true, but the security flaw is about opening JavaScript dialog boxes, not new browser windows.

      For goodness sakes, the referenced article even had a test you could run on your own. You would have seen first-hand that your idea, while correct, doesn't address this problem at all.

  7. Give JavaScript a Break by anthm · · Score: 2, Informative

    It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers. If every invention that could potentially be used for evil was struck down there would be nothing left. JavaScript can do plenty of good and the developers of the open source engines have gone out of their way to make it well documented, embeddable and extensible so you can add it to almost anything that needs a little help with a language parser. In fact, I myself have recently added JavaScript to the Asterisk PBX system to drive IVR and it works quite well without much concern for exploits. RES_JS for Asterisk: http://www.cluecon.com/res_js.html

  8. Re:Ahh I love Javascript dialogs, I really do by Ewan · · Score: 4, Informative

    Check out noscript, firefox extension for whitelisting javascript

    Ewan

  9. If someone is foolish enough... by exp(pi*sqrt(163)) · · Score: 2, Informative

    Yeah! How could anyone be that stupid? I mean we're all taught from the moment we're born that it's not safe to login to something via a popup window. Even my grandma could tell you that.

    --
    Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
  10. Re:Lets see.... by critter_hunter · · Score: 2, Informative

    This wasn't so much a lie as a misunderstanding. Firefox was not nominated in the "web browser" but in the "best software" category, so when Opera ASA saw that they were the only winner in the browser category, they made a news story about it. They retracted a few days later.

    On topic, the vulnerability seems hardly dangerous. Not entirely sure why it deserved a news story...

    --
    Karma: Could be worse (could be raining)
  11. Konqueror is also affected by zr-rifle · · Score: 3, Informative

    I tried it out on Konqueror 3.4.0 and it is also affected. The only minor change is a blank popup window opening together with the javascript query.

    --
    Hack your mind out of its sandbox.
    1. Re:Konqueror is also affected by Gaima · · Score: 3, Informative

      Same thing in Konqueror 3.3.2 and 3.4.1, except the javascript popup has the hostname of the site it came from in the title bar of both version, so konqueror is in fact not vunerable.

  12. Not a probem with OS X (Aqua) by crovira · · Score: 2, Informative

    A dialog box is 'owned' and drops down modally on top of the window that 'owns' it.

    A new window is a new window and opens below (if there's room) and to the right (if there's room) of the requesting object window regardless of the amount of gadgetry on it (like title bars, buttons, window styles.)

    Its always possible to fool somebody and they'll possibly be fooled into revealing their personal data, but eventually the problem will take care of itself hen these people and bust-ass broke and smothered in spam.

    There's only so much people can do with a stateless environment. This would be a problem regardless of the language used (both computing & human), the browser used or the platform used (both hardware & software.)

    At some point, people will realize this and stop trying to do the impossible.

    Transactions are 'transactions'. That means that they have a 'commit point,' which means that they need a state engine which runs from the beginning of the process to the end of the process.

    And yes, it CAN be done over the internet over a secure connection. But the control has to shift to the transaction machine while the transaction is going on. Neither you or anyone else should never be able to spawn a new GUI window while the transaction is happening.

    --
    MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
  13. Re:Lets see.... by hkmwbz · · Score: 2, Informative

    Java != JavaScript. This is about JavaScript dialogs, and Opera has built-in JavaScript support.

    --
    Clever signature text goes here.
  14. Re:It's a Buggy Life by D'Sphitz · · Score: 2, Informative

    JavaScript is not Java

  15. Doesn't anyone actually read the article? by 93+Escort+Wagon · · Score: 2, Informative

    I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):

    "Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.

    Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

    "This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

    So what does this tell us?

    - The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.

    - The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?

    - While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems.

    - Once again, end user education is probably the answer.

    --
    #DeleteChrome
  16. Re:old news by hkmwbz · · Score: 5, Informative
    "It's advertising and FUD from those Opera guys. They are really getting boring."
    Better put on your tinfoil hat!
    "Someone at Opera reports it (under a false name) as a security issue affecting every browser BUT Opera"
    Wow. I didn't know that "Jakob Balle, Secunia Research" worked for Opera? I thought he worked for Secunia, seeing as he, well, works there and everything?
    "Slashdot runs one more article about the genious of this stupid paid-for, closed source browser."
    You mean Opera? Opera Software, the company that employs and pays several members of the W3C? Which pays real money to people to work on open standards?

    Ah, the evil Opera! I get it.

    "That's not the first time it happens, nor the last one. /., stop supporting Opera FUD. Thanks."
    Asa? Is that you? Why are you posting as an AC?!
    --
    Clever signature text goes here.
  17. Re:Lets see.... by whitehatlurker · · Score: 2, Informative
    This problem was announced several days ago (21st) - though not mentioned on /. until the 22nd and only indirectly. It could have been that Opera (and other browser developers) were informed before Secunia released the warning, and they fixed it during the release of 8.01.

    However, since the "fix" is only to indicate the name of the site launching the pop-up, this may have been a preventative measure included independently to prevent problems similar to the previous vulnerability.

    --
    .. paranoid crackpot leftover from the days of Amiga.