Border patrol. They are there to secure our borders from illegal immigrants and protect the borders from invaders
And they keep getting more and more "border" to patrol to go with those increased powers to do it with. Currently they can stop anyone, citizen or not, within 100 miles of a border.
I was left with the impression that he considered talking to me to be a waste of time
This is probably because there's another dozen patients literally dying to see him, and stuff like "what should I do about my disease" is best left to your primary care doctor who should ideally know all the drugs you're on and all your allergies and your complete medical history and have 15 minutes to discuss this stuff with you without being pre-empted by some guy getting hit by a car.
do they not have important data that could be used in an identity theft?
The "Red Flags Rule" isn't about stealing data, it's about requiring people to watch for signs that stolen data is being used (hence "Red Flags"). Things like fake IDs, addresses that don't match your records or are not valid, or a SSN that isn't in the date range for the person's DOB.
What people want isn't to see the laws, what they want is "cvs blame" so they know when those must pass bloated piles of crappy bills come up, they know who actually added each little bit of pork.
I already had tabs built into my operating system, they called it the taskbar.
Sure, if you have a task bar that takes up half the screen or you want to go through dozens of "tabs" that all say "Internet Ex..." At least firefox's default tab bar starts scrolling once there's too much to fit on one line without changing the title to "Sl..."
What's the vulnerability being attacked here anyway?
The User. BTW, this works on multiple windows too.
I know of no way for content in one tab to insert content or even change the location of another tab...
It doesn't. Attacker convinces The User to click on example.com/evilsite/awwcutekitty.html which shows them a cute kitty. They think it's neat and they go to tweet it to their friends or whatever. Once they switch tabs (or windows) the onblur command replaces the cute kitty with a login screen, possibly one chosen using the:visited css hack so it looks like a site they actually use. They go back to where they thought the cute kitty was, and when the cute kitty isn't there anymore, they don't think "Hey my cat picture has been replaced by a gmail phishing site" they think "aww I must have closed it. Now I gotta log back into gmail to get the link again since my session timed out"
Um.. problem: Average Joe doesn't know about tabbed browsing in the first place, let-alone clicking or opening 30 tabs.
That's ok, it works with multiple windows too.
But I'm fairly certain the average tabbed browser user has better things to do with their time than sit there and memorize the content of every tab in order. Looking through the other posts here, it basically boils down to "I have a system" (ie gmail is ALWAYS the first tab on the left, so a gmail "logged out for inactivity" screen somewhere else is wrong) or "I haven't got a clue what I opened in which tab".
the display of a new login prompt is inherently suspicious
And you KNOW its a new login prompt because you memorize every single page in every single tab, even those pages where you middle click a link to read later, and if just one of those 30 tabs were out of place, you'd know right away?
Protip: everyone else isn't you.
Average Joe wouldn't have bothered to memorize which tab had which page, so if he saw a page that looked like his bank website telling him he's logged out due to inactivity and he needs to log back in, he wouldn't think "wait, I was logged in on tab 8 not tab 23" he'd probably try to log back in.
Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.
I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.
Given that Cid is the recurring character name for the airship pilot/mechanic/engineer in the Final Fantasy games developed in Japan, the answer is "it depends on what you consider American".
So, if a legitimate page is loaded in a tab, how is a new DIV painted on top of it by an outside source?
No no no, your legitimate page is loaded in Tab 18. Or was it 32 or 3 or... well, that doesn't matter. What matters is that the Evil Site on Tab 6 now looks like a login page for a site that you've been to before (detected by:visited). And you were logged into gmail on Tab 6, right? Right???
you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
Only if you knew Facebook never timed you out if you left it alone like just about every other website out there. Try substituting it with a bank login screen.
Can Javascript really access other tabs or windows
No.
The attack here is that you have 50 tabs open, and suddenly tab 32 (the tab that was supposed to be a funny cat video but was running the Evil Script) turns into a facebook login page saying that your session expired. Were you logged into facebook on tab 32? Are you SURE?
Don't use facebook? That's OK, the:visited CSS hack can be used to pick a login screen that you do use.
So, how many windows do you have open before you forget whether or not you logged into gmail in one of them? Did you memorize the position of the gmail window on your task bar, or are you going to alt-tab through them and stop at the first one that tells you you've been logged out of gmail and need to log in again?
No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.
Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!
All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.
The original author (not linked in the submission) points out that you can use the:visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.
In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the:visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.
I'm not sure how you'd go about changing another tab (unless there's a bug). What I think is more likely is that someone who has 20+ tabs open isn't going to remember which of those tabs was the one they logged into facebook on, so when they come across a tab that says "timed out, please log in again" they're going to assume that one was correct.
Doesn't help that by default, tabbed browsers show [ F... ] when you've got more than three or four tabs across the top of the screen. Not that [Face...] down the side is a whole lot better...
Slashdot Mirror
Classic false dichotomy.
Name a third option.
Border patrol. They are there to secure our borders from illegal immigrants and protect the borders from invaders
And they keep getting more and more "border" to patrol to go with those increased powers to do it with. Currently they can stop anyone, citizen or not, within 100 miles of a border.
I was left with the impression that he considered talking to me to be a waste of time
This is probably because there's another dozen patients literally dying to see him, and stuff like "what should I do about my disease" is best left to your primary care doctor who should ideally know all the drugs you're on and all your allergies and your complete medical history and have 15 minutes to discuss this stuff with you without being pre-empted by some guy getting hit by a car.
do they not have important data that could be used in an identity theft?
The "Red Flags Rule" isn't about stealing data, it's about requiring people to watch for signs that stolen data is being used (hence "Red Flags"). Things like fake IDs, addresses that don't match your records or are not valid, or a SSN that isn't in the date range for the person's DOB.
that many people just can't keep a secret
How many people worked on the Manhattan Project?
People will keep a secret when they've got a reason to keep a secret.
The copyright notices have been posted there for the last nine months, though the leopard might have used them for kitty litter.
"Oh, I bought that for my friend Steve."
That's what they all say.
Other than testing the number of respawns.
Well, you can always scream for tech support. (wait, wrong movie...)
So you're asking for evidence-based legislation?
Why don't we just demand death panels for legislators ;)
What people want isn't to see the laws, what they want is "cvs blame" so they know when those must pass bloated piles of crappy bills come up, they know who actually added each little bit of pork.
I already had tabs built into my operating system, they called it the taskbar.
Sure, if you have a task bar that takes up half the screen or you want to go through dozens of "tabs" that all say "Internet Ex..." At least firefox's default tab bar starts scrolling once there's too much to fit on one line without changing the title to "Sl..."
What's the vulnerability being attacked here anyway?
The User. BTW, this works on multiple windows too.
I know of no way for content in one tab to insert content or even change the location of another tab ...
It doesn't. Attacker convinces The User to click on example.com/evilsite/awwcutekitty.html which shows them a cute kitty. They think it's neat and they go to tweet it to their friends or whatever. Once they switch tabs (or windows) the onblur command replaces the cute kitty with a login screen, possibly one chosen using the :visited css hack so it looks like a site they actually use. They go back to where they thought the cute kitty was, and when the cute kitty isn't there anymore, they don't think "Hey my cat picture has been replaced by a gmail phishing site" they think "aww I must have closed it. Now I gotta log back into gmail to get the link again since my session timed out"
Um.. problem: Average Joe doesn't know about tabbed browsing in the first place, let-alone clicking or opening 30 tabs.
That's ok, it works with multiple windows too.
But I'm fairly certain the average tabbed browser user has better things to do with their time than sit there and memorize the content of every tab in order. Looking through the other posts here, it basically boils down to "I have a system" (ie gmail is ALWAYS the first tab on the left, so a gmail "logged out for inactivity" screen somewhere else is wrong) or "I haven't got a clue what I opened in which tab".
the display of a new login prompt is inherently suspicious
And you KNOW its a new login prompt because you memorize every single page in every single tab, even those pages where you middle click a link to read later, and if just one of those 30 tabs were out of place, you'd know right away?
Protip: everyone else isn't you.
Average Joe wouldn't have bothered to memorize which tab had which page, so if he saw a page that looked like his bank website telling him he's logged out due to inactivity and he needs to log back in, he wouldn't think "wait, I was logged in on tab 8 not tab 23" he'd probably try to log back in.
isn't there an HTTP header that will prevent this
I got nuthin
user actually changed tab?
window.onblur()
Being somebody who got 20-30 tabs up and running along with massive tab switching I can't see how i would not spot that its forcefully reloaded and wrong?
Do you know for certain, without looking, what is in tab #8 right this instant? If you had to look, then if you didn't read the exact URL you just lost. If you didn't have to look or you looked at the URL instead of just the title or the icon on the tab, then you would realize that tab #8 was wrong and you would be immune.
I think the majority of people would fall for it, even if they only had three or four tabs open instead of 20-30.
Is this an American pop culture reference
Given that Cid is the recurring character name for the airship pilot/mechanic/engineer in the Final Fantasy games developed in Japan, the answer is "it depends on what you consider American".
So, if a legitimate page is loaded in a tab, how is a new DIV painted on top of it by an outside source?
No no no, your legitimate page is loaded in Tab 18. Or was it 32 or 3 or... well, that doesn't matter. What matters is that the Evil Site on Tab 6 now looks like a login page for a site that you've been to before (detected by :visited). And you were logged into gmail on Tab 6, right? Right???
you are logged into Facebook right now. Would you not find it suspicious if when you clicked back over to it, you were greeted with a login screen?
Only if you knew Facebook never timed you out if you left it alone like just about every other website out there. Try substituting it with a bank login screen.
You can't check someone's browser history using JavaScript
You don't read slashdot enough: :visited
Not that easy, in fact, if you could come up with a way to create sites people never wanted to close
Or just get your script embedded in someone else's website through cross-site scripting or an ad network willing to look the other way for money.
Can Javascript really access other tabs or windows
No.
The attack here is that you have 50 tabs open, and suddenly tab 32 (the tab that was supposed to be a funny cat video but was running the Evil Script) turns into a facebook login page saying that your session expired. Were you logged into facebook on tab 32? Are you SURE?
Don't use facebook? That's OK, the :visited CSS hack can be used to pick a login screen that you do use.
Simple solution - don't use tabs in browsers.
So, how many windows do you have open before you forget whether or not you logged into gmail in one of them? Did you memorize the position of the gmail window on your task bar, or are you going to alt-tab through them and stop at the first one that tells you you've been logged out of gmail and need to log in again?
No, tab 1 is still the same site as ever, but the page you visited in tab 34 and forgot about 30 minutes ago suddenly looks like a facebook "you have timed out please log in" page. It's even used javascript to change the title of the tab and the favicon.
Pop Quiz! Were you logged into Facebook on tab 48, tab 18, or tab 42???!?!
All it takes is a bit of javascript inserted into a normal site using cross-site scripting, or an intentionally malicious site in the first place, or an adserver serving up whatever javascript anyone pays them to host. This is why I use NoScript.
The original author (not linked in the submission) points out that you can use the :visited hack to choose a login screen that the user would expect to see. And you can use various other hacks to determine if the user is currently logged into some site or not.
They've gotten a lot of (well deserved) flak in the past for linking a blog that links an original story, and I'm glad they're listening
They're not listening, the blog post they substituted is still just someone bloviating about the original article and proof of concept.
In action, it's scary in a way that just listening to some blogger yak about it doesn't get the point across, and the author points out how to use the :visited detectors and various hacks to detect if you've logged into a site or not to make it even scarier.
I'm not sure how you'd go about changing another tab (unless there's a bug). What I think is more likely is that someone who has 20+ tabs open isn't going to remember which of those tabs was the one they logged into facebook on, so when they come across a tab that says "timed out, please log in again" they're going to assume that one was correct.
Doesn't help that by default, tabbed browsers show [ F... ] when you've got more than three or four tabs across the top of the screen. Not that [Face...] down the side is a whole lot better...