Language Selection

English French German Italian Portuguese Spanish

Pop-up vulnerability found in major browsers

Filed under

Several popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data, security company Secunia has warned.

The flaw would allow a phishing attack in which a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia said in an alert published Tuesday. This could trick a surfer into revealing data such as a password.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open--for example, a prompt dialog box--which appears to be from a trusted site," said Secunia's advisory.

According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.

To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialog box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April, a patch was developed that allows people to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering, told ZDNet UK.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

By Graeme Wearden

More in Tux Machines

Mozilla News/Views

  • What we learned about gender identity in Open Source
    To learn more, we launched a Diversity & Inclusion in Open Source survey earlier this year, which sought to better understand how people identify, including gender-identity. Our gender spectrum question, was purposely long — to experiment with the value people found in seeing their identity represented in a question. People from over 200 open projects participated. Amazingly, of 17 choices, each was uniquely selected, by a survey participant at least once.
  • Why we participate in support
    Users will not use Firefox if they don’t know how to use it, or if it is not working as expected. Support exists to retain users. If their experience of using Firefox is a bad, we’re here to make it good, so they continue to use Firefox.
  • WebRender newsletter #16
  • A good question, from Twitter
    Why do I pay attention to Internet advertising? Why not just block it and forget about it? By now, web ad revenue per user is so small that it only makes sense if you're running a platform with billions of users, so sites are busy figuring out other ways to get paid anyway.
  • This Week In Servo 108
    We have been working on adding automated performance tests for the Alexa top pages, and thanks to contributions from the Servo community we are now regularly tracking the performance of the top 10 websites.

Blockchain: DigitalBits, Aventus, Cryptocurrency

  • DigitalBits launches open-source blockchain-based marketplace for loyalty points
    Their value — or at least their versatility — could get a boost if The DigitalBits Project is successful. This community endeavor, soon to become a nonprofit foundation based out of the tiny European country of Lichtenstein, is today launching an open-source blockchain-based infrastructure that supports trading loyalty points or rewards or transferring them to other individuals.
  • Aventus Announces Development of Open-Source Protocol Foundation
    Aventus, the blockchain ticketing startup that raised 60,000 Ether via a crowdsale in 2017, has announced the next stage of development for its non-profit foundation. The Aventus Protocol Foundation will serve as an entity tasked with supporting open-source projects built using the Aventus protocol. This encourages the growth of the Aventus ticketing ecosystem while protecting the rights of holders of AVT, the native Aventus token.
  • An Overview of Cryptocurrency Consensus Algorithms
    One of the most important aspects of a decentralized cryptocurrency project is the consensus algorithm it employs. A consensus algorithm is crucial to the implementation of a digital currency because it prevents the double spending problem, a challenge that has historically limited the development of digital currencies until the recent development and adoption of the blockchain ledger method. Because cryptocurrencies are implemented as public, decentralized ledgers that are append-only, they must employ a consensus algorithm to verify that there “is one version of the truth” and that the network cannot be overwhelmed by bad actors.

today's howtos

Fedora: Release Party, Fedora Diversity, Critical Firefox Fix