Slashdot Mirror
The Java Popup you Can't Stop
An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser).
Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "
For the love of all that is holy, please don't promote this story to the /. frontpage. The less advertisers that are made aware of this the better.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
this is a real slashdot article, and not some clever cross site full screen javascript faux article out to steal my cookies, hmmm? if i hit submit i might-
oh shit
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As always, with script-related security flaws, the easiest solution is NoScript, of course.
However, FWIW, I couldn't get either of his demos, the Java or the JavaScript, to work on Firefox 2.0.0.6 on Windows XP, despite the fact that the author says that both work on Firefox.
My blog
I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.
Just a thought.
You'd think so, but spam is apparently still worth the risk and effort too.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.
This isn't a flame....Java on the desktop is awesome and I love it.
*runs to the hills*
throw new NoSignatureException();
The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.
-- Ed Avis ed@membled.com
The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.
I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...
To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The real wet dream of any victim would be to be able to disable java or any scriting technology in his browser and still be able to surf on most respectable sites.
I don't want to be a ludite, but on 9 sites times out of 10 that require those technologies, there is very little benefit for the user.
From a quick look at the code, the bug seems to be that you can resize the popup to be bigger than the screen size. So the warning disappears off the bottom of the screen.
If he were selling his software commercially, or people were being directed from the Slashdot front page to a page full of ads, then you might have a point, but that's not the case here. The guy has made an obviously useful tool, gives it away for free, and is warning about an obviously relevant threat. The most he's likely to get out of this is a few small donations or a few more page hits on his site, perhaps making enough to cover the server costs for hosting a popular Firefox extension for a while and a bit of beer money. I think your post is way over the top.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop and cannot be closed by user"
Thing #397 That You Can Do In Linux But Can't In Other Popular Desktop OS's:
1. Ctrl+Atl+F1
2. Log In
3. missile-launch -f --target-from-process java
4. killall java
4a. killall firefox-bin (if necessary)
Actually this story is strangely coincidental; just a few minutes ago, I was trying to show a coworker a cool graphical demo of different sorting algorithm efficiencies, but I didn't have the Java plugin installed. Still don't.
"Software is like sex; it's better when it's free." -Linus Torvalds
There are people who still browse with java switched on?! That is SO 1990's.
Didn't you read the headline? You can't stop these things. Heck, the demo popped up an unkillable window on my AmigaOS box, and no JVM even exists for that...
The one sure way to endear me to a product and cause me to whip out my credit card is to pop up a window over my entire screen that I cannot remove. This type of "in your face" advertising is exactly what reluctant consumers like myself need.
FAQs are evil.
NO
Ban them from going full screen unless I, the owner of the machine where it wants to go full screen, agree to applications having the right to go full screen.
I don't care about signed code. I do care about my preferences!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Would like to share some specifics. Disassembled the bytecode using javap and used my rusty JRE assembler 'skillz' to understand it, but well, since he seems to have compiled it with full debug options, any idiot can find it ut by staring at the output for a sec.
1. It doesn't use any "go fullscreen" API
2. It's a failure of assuming sum of parts of software is as secure is as its components. It can be "less" secure than any of the component taken in isolation. Point in case is the set of APIs used:
a) Toolkit.getScreenSize(): Used to find size of desktop. Nothing evil here
b) Window.setBounds(): Used to set size of window. Nothing evil, except set it larger than screen size, hence hiding the applet warning by moving it "off screen"
c) Window.setAlwaysOnTop(): Used to set the window on top. Essential for displaying "Modal" dialog boxed like error boxes. Nothing sinister here.
However, the shit happens because all the things taken together can be dangerous. Specially, passing "System Modal" to setAlwaysOnTop().
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
Any more ideas shall be appreciated.
Oh, and I again despise him for an irresponsible disclosure and presenting the hack in easily reverse engineered, fully functional code.
- mritunjai
I believe you mean JavaScript viruses (very common) not Java viruses (extremely rare). Javascript viruses tend to be mostly harmless (stuff like, a popup you can't close) and are generally overblown by virus software. That's why your autoprotect software wasn't catching it: It wasn't that important. And erasing the files from your browser's cache after the fact is not really helpful either. You're not really "infected" per se. (Though some of those JS files are vectors into bigger and badder viruses.)
That has to be the worst reason in existence to use IE. If you don't want Java, don't install it. FireFox won't do it automatically, nor will Opera, nor will Safari. Sticking with IE because it doesn't install a JVM by default is nothing more than a false sense of security.
parent rating: -1 FUD
Javascript + Nintendo DSi = DSiCade
I don't see an obvious "fix" except the following hurdles that can be presented to unsigned applets (and hence breaking a lot of hobby games, apps etc)-
1. Validate applet size to be always significantly less than screen size
2. Remove support for "System Modal" for unsigned applets for "setAlwaysOnTop". Application modal is fine, system modal is not.
I would expect that "System Modal" should be forbidden from any applet, even if it is signed. After all, it is running in a browser, not directly in the OS, so Application modal should be sufficient. In fact, one can argue that if you are writing an applet and you need System Modal functionality, then you are probably using the wrong technology anyways and should consider alternatives.
Applets were designed to be sandboxed. System Modal should have been forbidden from the beginning anyways.
A distinction should be made between a website that can't function without client-side scripting, and websites that use it to support various functions but can work without it.
For instance, the multi-level menus on a website should not be the only means of browsing its pages. In fact, if the user were to turn off all of their scripting for their browser, the website should function minimally. Even with Gmail, you could change the site options to "basic HTML", which is found on the bottom of the page.
How about banking websites where you try to pay your bill and want to input the date? Most sites currently have a calendar pop-up for you to display a slick interface. But one should still be able to manually enter in a date that conforms to how the date is stored. (Or use server-side validation & conversion.) Again, inputting a date should not depend on a client-side calendar function since quite a few users use browsers that do not have any client-side scripting functionality.
I agree with your point that a lot of the sites we commonly use have features that depend on client-side scripting, but the website itself should still function if you choose to turn off the functionality on the browser level, and that is what the parent was talking about if I understood their point correctly.
Best "String" Ever!