Jump to content
Login with your Gmail HERE and start posting in seconds! ×
Don't just read! Be part of the Community! Join the conversation ×

Multiple Browsers Window Injection Vulnerability

kabal1234

By kabal1234
in IT and Computers

 Share

Recommended Posts

kabal1234 Advanced Member

kabal1234

Posted
Posted

Multiple Browsers Window Injection Vulnerability Test

Secunia Research has reported a vulnerability, which affects most browsers. The vulnerability can be exploited by a malicious web site to "hi-jack" a named browser window, regardless of which web site is the true "owner" of the window.

Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.

secunia_illustration.jpg

Go here to take the test

rcjoop Senior Member

rcjoop

Posted
Posted
hi'

click on the link no pop-up blocker and firefox 1.0 passes it :o

francois

No it does not pass, well it does pass if you configure firefox for enabling pop-ups and use the test for not-enabled, seems not the way to do it.

If you test with firefox and the selected test both disabled or both enabled it does not pass

Richard-BKK Platinum Member

Richard-BKK

Posted
Posted

This is just a new MS Windows bug.....

I run Redhat Fedora Core 3 Linux with Firefox 1.0 and Mozilla suite 1.7.3 and with both browsers I have no problems...

RDN Ruby Member

RDN

Posted
Posted (edited)

I managed to make Firefox 1.0 fail the test.

Under Tools/Options.../Web Features, I have "Block pop-up windows" checked.

Under Tools/Options.../Tabbed Browsing, I have "Open these requested JavaScript popups in tabs:" set to "No Popups". These Options come with the "Tabbrowser Preferences" extension.

Then I click on the "With pop-up blocker" test link, and then the CitiBank button, it fails - I get this message:

Secunia - Window Injection Test

The pop-up window you requested to open via the CitiBank web site is now controlled by Secunia.com.

This page could easily have contained malicious information spoofed as being from CitiBank, asking you to install programs or disclose sensitive information such as credit card details.

This is only limited by the imagination of the attacker (phisher).

If I change the Tabbed Browsing option to "Unresized Popups", and do the same, it fails.

If I change the Tabbed Browsing option to "All Popups", and do the same, it fails. (Sorry - I previously said it passes, but it failed after a few seconds).

Can anyone explain?

Edited by RDN
waldwolf Silver Member

waldwolf

Posted
Posted
.......This is only limited by the imagination of the attacker (phisher)..........

An new law was introduced in the U.S. Senate on July 9, 2004 which would make "phishing" a federal crime punishable by a large fine and up to 5 years in prison.

Current US laws permit enforcement authorities to prosecute "phishers", but only after someone has been defrauded. This new bill would allow charges against "phishers" for attempting to deceive Internet users.

(It is estimated, losses from "phishing" in the USA alone, will exceed 2 billion dollars in 2004.)

More info:

Anti-Phishing Act of 2004 (pdf)

What Is "Phishing"? A Brief Primer

slimdog Silver Member

slimdog

Posted
Posted

The vulnerabilty only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera.

RDN Ruby Member

RDN

Posted
Posted
The vulnerability only works if you have Java enabled. For general surfing I never enable Java,therefore no pop-up's.There are a few sites which demand it that I do visit so I use Ie for these sites with Java enabled, once finished back to Opera.

Thanks slimdog. I have enabled Java and Javascript, but under "Javascript, Advanced" I have turned off everything that scripts can do - so now they cannot move or resize existing windows, raise or lower windows, disable or replace context menus, hide the status bar, change the status bar text, change images.

I repeated the test, and Firefox passed. :o

RDN Ruby Member

RDN

Posted
Posted

I turned on the advanced option to allow Javascripts to "change images" (to let the +QUOTE feature to work in Thaivisa), and it still passed.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.






ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...