Slashdot Mirror
Major Browsers Have JS Pop-Up Flaw
An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."
This is only a 'security flaw' in the same way that those banner ads that look like warning dialogs are...
Ever get rooked into going to a website with perpetual Javascript pompts? I love those.
The only way out of them is to kill your browser process outright.
This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.
It seems to have been forgotten, or deferred.
well i think the idea is, you could be on some trusted site, and some porn site spyware/adware could pop up a javascript browser and for all intents and purposes it would look like it came from the trusted site.
i could live a little longer in this prison
It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".
Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.
Actually, Konqueror 3.4.1 isn't affected either (it displays the hostname in the popup title bar).
These kinds of security holes are far harder to find than simple buffer overflows, because the real flaw is that the user misunderstands information that is presented in a particular context. There's no real technical error, it's purely a user interface issue. You have to think about how a user would perceive any particular information under all kinds of different contexts.
This also means that open-source doesn't confer all of the security advantages that it does when applies to mistakes in the code, as everybody can see the UI even in a closed-source browser like Internet Explorer.
You are forgetting that the normal way in which browsers have presented HTTP authentication for years is in a popup window. I'd expect many people to have logged into legitimate sites with what appears to be a popup to them.
What's a "malicious site"? There have been worms and viruses that insert malicious code into whatever HTML they can access. Suddenly, the definition of "malicious site" includes the website of every organisation that is susceptible to worms and viruses.
Javascript is very useful to creating rich web applications that don't have to reload the pages. Seen Google maps or Gmail? How do you think they did that?
I agree that Javascript should not nessicarily be required to view content on a general website but properly used it gives a whole new dimension to web apps.
People give the guns and P2P analogy all the time here: they both have proper uses and improper uses and banning them, or not using them because they have improper uses makes no sense. How is Javascript any different?
The Anti-Blog
I know the Mozilla devs were talking about this a few weeks back on one of the lists. They said they didn't consider it a severe security issue yet, but were working on the engine so that popups would be tab and window modal. They've also added pieces to the plugin interface so that plugin developers (Flash and Java for instance) can honor Mozilla's popup blocking.
Currently, if you're popup blocking for all but trusted sites you should be relatively safe from this. It really is hard to prevent phishing attacks though. They attack the users judgement, which unfortunately tends to be the weakest link.
The only non-free browser, Opera, already has a fix for it.
What's your point?
I agree that this is an issue, but saying this is a vulnerability in the browser seems a little odd. It feels a little like saying that your email program displaying phishing emails is a vulnerability in the email program. I'm not saying that this isn't something that could be addressed by a change to the browsers, but the headline (and TFA) make it sound like the code in the browsers is faulty.
It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.
I'm sure you are absolutely right. And hopefully he'll keep doing it because you there are crackers, phishers, and criminals out there who delight in spending 16 hours a day trying to twist browsers into doing what they wants. If Secunia is a bit obsessive in their red team activities against computers, then we can hope that they uncover exploits (and motivate patching or disabling of exploitable features) before they appear in the wild.
I, for one, welcome information on what computer software and features can or cannot be trusted.
Two wrongs don't make a right, but three lefts do.
What's wrong with that? It gives people information to help them figure out if they're being phished.
In comparison to Opera's new behavior, IE *is* flawed. I don't see why Microsoft thinks it shouldn't innovate this feature from Opera into IE.
I have done years of development on NeXT systems. You know, before it became the Cocoa that you kids play with today. It was blazingly fast on systems with 8 MB RAM and a 68040 25 MHz CPU. Hell, I'd love to see a fully GUI Java app run on a system like that. It just wouldn't be usable in the least. To claim that Objective-C is slower than Java is foolery of the highest degree!
While Cocoa does not yet use the garbage collection facilities of Objective-C, the GNU runtime does offer them.
But in short, this browser bug is not a result of Objective-C or Cocoa in any way. It is merely a problem with the traditional way of displaying JavaScript popups.
Cyric Zndovzny at your service.
I don't see why Microsoft thinks it shouldn't innovate this feature from Opera into IE.
You know, I've never heard someone use innovate in a sentence like that, but for some reason it seems completely appropriate. Rather like piracy we should dilute the meaning of this word until it's no longer useful in discussion. Then where would Microsoft be?
On another note, when will sites stop relying on freaking popup windows. Besided being blocked by many normal people, they are a real pain and always seem to have bugs associated with them. If you can't design your website to a full browser window, you shouldn't be designing websites!
-- these are only opinions and they might not be mine.
Yeah. I understod how it works. I just think that's the user's problem.
... Calling this a flaw now just seems more like a desperate grab for attention than an actual technical problem to be discussed. If you don't like it, take it up with the standards committee and try to get the behavior redesigned for the next revision of the spec, but don't try to blame the browsers, that's just stupid.
Error occurred between user's ears. Insert neurons to continue.
To be blunt, this is how Javascript has been for years, and those of us who understood the technology all along are now shaking our heads and asking "yeah, so?"
...a problem was discovered and Opera got it fixed quickly. So now you're complaining? :-)
Coder's Stone: The programming language quick ref for iPad
It has been fixed in Firefox. May or may not be a default (can't remember), but when I tried it in Firefox the URL was displayed at the top of the popup window and it was obvious it was malicious popup. Maybe they are trying to say that because the main browser loads up the legitimate page that it can fool the user into thinking the popup came from it? That's a bit of a stretch... Though I'm not a big fan of this JS popup technique which I've seen sites use to popup ads with.