Pop-up phishing flaw found in major browsers
Security firm Secunia has warned that many popular Web browsers contain a vulnerability that could be used by cybercriminals to steal personal data.
In an alert published on Tuesday, Secunia said that the flaw would allow a phishing attack where a malicious JavaScript pop-up window appeared in front of a trusted Web site. This could trick a surfer into revealing data such as their or password.
"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open — for example, a prompt dialog box — which appears to be from a trusted site," said Secunia.
According to Secunia, the latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino are all vulnerable. Opera 7 and 8 are affected, but not 8.01, according to Opera.
To take advantage of the flaw, a cybercriminal would have to direct a Web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialogue box in front of the trusted Web site, and a user might then be fooled into sending personal information back to the malicious site.
Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies that it came from a certified source.
Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April a patch was developed that allows users to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.
Opera confirmed on Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.
"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice-president of engineering, told ZDNet UK.
Krogh also pointed out that Secunia had rated the vulnerability as "less critical".
"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.