Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under
Security

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden
ZDNet UK

More in Tux Machines

Raspberry Pi analog input board has weather station option

RasPi.TV has Kickstartered a $12 “RasPiO Analog Zero” Raspberry Pi add-on board the size of an Raspberry Pi Zero. It offers eight 10-bit analog inputs. The RasPiO Analog Zero has surpassed its Kickstarter goals, and is available through May 31 starting at 8 Pounds ($12). Designed for reading up to eight analog sensors simultaneously on a Raspberry Pi, the add-on board is matched to the size of the 65 x 30mm Raspberry Pi Zero. However, it plugs into any Pi with a 40-pin expansion connector, and can work with older 26-pin Pi models with the help of an adapter. Read more

GhostBSD 10.3 Development Continues, Now with UEFI Support for 64-bit Platforms

Today, May 25, 2016, GhostBSD maintainer Eric Turgeon announced the general availability of the second Alpha release of the upcoming GhostBSD 10.3 operating system. Read more

Samsung still undecided on their Android Wear future

Yesterday the Internet lit up like a Christmas tree with the news that Samsung was no longer going to use Android Wear for any of its Smartwatches, but it seems that might not be quite the case. The report from Fast Company cited some Samsung executives confirming that Samsung was not looking into developing any further Android Wear products. Now, In a statement provided to the Engadget website Samsung states: “We disagree with Fast Company’s interpretation. Samsung has not made any announcement concerning Android Wear and we have not changed our commitment to any of our platforms.” Read more

Meizu Pro 5 Ubuntu Edition review

The Meizu Pro 5 is the latest flagship smartphone to run on Canonical’s Ubuntu operating system. Ubuntu is designed to work across all device types – including mobile, tablets, convertibles and desktops – using a common core code. This is similar to Microsoft Windows 10 Mobile. However, unlike Microsoft’s code, Ubuntu is totally open source and has largely been developed and improved by the desktop OS’s millions-strong user base. This means the OS is capable of evolving and changing at a great pace and has update cycles that would make most sysadmins weep. Read more