[ISN] Browser phishing 'flaw' could hook users

InfoSec News isn at c4i.org
Thu Dec 9 03:15:05 EST 2004


By Robert Lemos 
Staff Writer, CNET News.com
December 8, 2004

A function built into all major browsers could be co-opted by
attackers to fool Web site visitors into surrendering sensitive
information, a security firm warned on Wednesday.

The issue, which security firm Secunia labeled a flaw, could allow a
malicious Web site to refer visitors to a legitimate site--such as a
bank's Web site--and then control the content displayed in a pop-up
windows. The issue affects Microsoft's Internet Explorer, the Mozilla
Foundation's Mozilla and Firefox browsers, Opera's browser, the
open-source Konqueror browser and Apple Computer's Safari, the firm
stated in advisories on its site.

"No browsers warn or check if the other site is allowed to change the
content of the pop-up window," Thomas Kristensen, chief technology
officer for Secunia, said in an e-mail to CNET News.com. "If the
pop-up window is opened because the users clicked on a specific
functionality, the user has no reason to suspect that the content in
the window has been changed by a malicious site."

The company has created demonstration that takes advantage of the flaw
on its Web site. The example sends a user to Citibank's Web site,
where clicking on the image opens a pop-up Window that is controlled
by Secunia's program.

Microsoft said that the attack uses a legitimate feature of browsers
to fool users.

"Our initial investigation has revealed that the report describes a
by-design behavior in all popular web browsers that allows a website
to open or re-use a window without displaying the address bar, which
is a trust mechanism built into web browsers," the company said in a
statement sent to CNET News.com.

Apple, the Mozilla Foundation and Opera could not immediately be
reached for comment on the issue.

The hack of a legitimate feature is the latest security threat that
could help phishers wrest identity information away from consumers.  
Last month, online intruders breached the security of at least one
server at advertising host Falk and used the computer to distribute an
attack to the service's clients, including The Register, a technology
news and opinion site. Other flaws, together with mass e-mailing of
links pointing to a malicious Web site, have been used to get
aggressive advertising software, known as adware, installed on
victim's computers.

Microsoft stressed that Windows XP users who have installed Service
Pack 2 have some anti-phishing tools. Any window that asks for log-in,
financial or personal information should be encrypted and display a
lock icon in the status bar at the bottom of the window, Microsoft
said in a statement.

"Some phishing cons have shown users a fake lock icon in a fake status
bar at the bottom of the browser window," the statement said.  
"Internet Explorer in Windows XP SP2 will always show the real status
bar so that users can detect a fake lock icon from a real one."

However, Secunia said that the browser makers miss the point. Most
users won't notice small details like that if they believe they are at
a legitimate site.

"The browser vendors fail to take into consideration the change of
malicious activities on the Internet and the fact that security holes,
which can be exploited to automatically install malicious code, isn't
the only thing to be concerned about," Kristensen said.

Secunia advised Web surfers to have only one Window open when you
browse sensitive sites such as banks and Web stores.

More information about the ISN mailing list