Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Java Popup you Can't Stop

Posted by CmdrTaco on from the once-you-pop dept.

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

2 of 480 comments (clear)

  1. Re:An interesting markettign technique... by Anonymous+Brave+Guy · · Score: 5, Insightful

    If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  2. Re:Analysis of the "hack", or how sum of parts bre by jonathan3003 · · Score: 5, Insightful

    I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
    1. Validate applet size to be always significantly less than screen size
    2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.

    I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.

    Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.