Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Browsers Have JS Pop-Up Flaw

Posted by Zonk on from the security-flaws-build-character dept.

An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."

6 of 397 comments (clear)

  1. Ahh I love Javascript dialogs, I really do by British · · Score: 4, Insightful

    Ever get rooked into going to a website with perpetual Javascript pompts? I love those.

    The only way out of them is to kill your browser process outright.

    This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.

    It seems to have been forgotten, or deferred.

    1. Re:Ahh I love Javascript dialogs, I really do by Threni · · Score: 3, Insightful

      > This is a prime opportunity for mozilla developers to do a slight tweak to the
      > prompts. a "kill all javscript for the rest of this session" button, etc.

      I mentioned this last year, and was told to turn off javascript. I installed PrefBar to make this process easier (F8, click, F8) but then it's turned off until you turn it back on again. I need it on for some sites. What would be better would be an AdBlock style whitelist of sites where you need it enabled, so it can be disabled for the rest. It could even be part of AdBlock, given that JS is often used to stick commercial popups in your face when you're trying to read something!

  2. Not really the popups by luvirini · · Score: 4, Insightful
    It is not really the pop-ups that are the security propble. It is the fact that the user interface is written in a way that does not make the different things clearly separated.

    It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".

    Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.

  3. Re:Lets see.... by JimDabell · · Score: 4, Insightful

    Actually, Konqueror 3.4.1 isn't affected either (it displays the hostname in the popup title bar).

    These kinds of security holes are far harder to find than simple buffer overflows, because the real flaw is that the user misunderstands information that is presented in a particular context. There's no real technical error, it's purely a user interface issue. You have to think about how a user would perceive any particular information under all kinds of different contexts.

    This also means that open-source doesn't confer all of the security advantages that it does when applies to mistakes in the code, as everybody can see the UI even in a closed-source browser like Internet Explorer.

  4. Re:stop developing with JavaScript by Christianfreak · · Score: 4, Insightful

    Javascript is very useful to creating rich web applications that don't have to reload the pages. Seen Google maps or Gmail? How do you think they did that?

    I agree that Javascript should not nessicarily be required to view content on a general website but properly used it gives a whole new dimension to web apps.

    People give the guns and P2P analogy all the time here: they both have proper uses and improper uses and banning them, or not using them because they have improper uses makes no sense. How is Javascript any different?

    --
    The Anti-Blog
  5. Re:old news by n0-0p · · Score: 4, Insightful

    I know the Mozilla devs were talking about this a few weeks back on one of the lists. They said they didn't consider it a severe security issue yet, but were working on the engine so that popups would be tab and window modal. They've also added pieces to the plugin interface so that plugin developers (Flash and Java for instance) can honor Mozilla's popup blocking.

    Currently, if you're popup blocking for all but trusted sites you should be relatively safe from this. It really is hard to prevent phishing attacks though. They attack the users judgement, which unfortunately tends to be the weakest link.