|
|
|
Pop-up Loophole Opens Browsers to Phishing Attacks
By: Matthew Broersma
2004-12-08
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
A malicious site could insert its own content into a pop-up window on even trusted sites,
making fraudulent content appear genuine, warns security firm Secunia. Browser vendors have yet to issue patches.
Security firm Secunia has warned that most Web browsers are vulnerable to a simple "phishing" technique that could make fraudulent content appear genuine.
The Copenhagen, Denmark, company on Wednesday published five advisories on the issue, covering fully patched, standard versions of Internet Explorer, Firefox, Opera, Konqueror and Safari. Secunia also published a demonstration allowing users to test their browsers. The test appeared to work on both Windows and Mac OS X platforms.
The problem is in the way browsers handle pop-up windows, which are used by many trusted sites such as banks. Because browsers arent designed to check whether another site is allowed to change the content of a pop-up window, a malicious site can insert its own content into any pop-up window, as long as the target name of the window is known, Secunia said.
In the example, a pop-up window launched by Citibanks site instead displays content inserted by Secunias demonstration page. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site," said Secunia Chief Technology Officer Thomas Kristensen in an e-mail interview.
Secunia contacted the browser vendors before publishing the advisories, but so far none has issued patches or estimated when it might do so, according to Kristensen. "They consider it to be very basic functionality in the browser, which has been around for several years," he said.
But such design loopholes are now becoming more dangerous, with the huge rise in the frequency and sophistication of phishing attacks, Kristensen said. "Security holes that can be exploited to automatically install malicious code arent the only thing to be concerned about," he said.
 For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
In July, Secunia demonstrated a similar flaw in the basic design of most Web browsers, which allowed a malicious site to load content into a frame in a trusted site. The vendors of the affected browsers—Opera, Internet Explorer, Safari, Konqueror and Mozilla—have since issued patches.
Phishing attacks have become a serious danger since emerging onto the scene about 18 months ago, with 1,974 unique attacks reported to the Anti-Phishing Working Group in July—up 20 times from the previous December. More than a dozen separate attacks were launched on Veterans Day alone, with Citibank, eBay Inc. and other financial institutions being the most common targets. Experts estimate that somewhere between 5 percent and 10 percent of people who receive a phishing e-mail will eventually fall victim to the scam.
Check out eWEEK.coms for the latest security news, reviews and analysis.
|
|
�������x}kw6�Dى皢HȖĶ<={t(��S$H6~gƭ��d;vҶD�TP(�
�{$sG3L{B.�cnQ?sOuޙ'w6{�R(%GFgP+N-w5� E]0eNFNv@\��~}@^sFw��D%x�_'Щ=ѩ&wɔiPل͙ؗ6}^~b�.hѱ
⌳Il_Pk$ȁ_
E�9�J�>�֥q�ɏB��4HXߢر�7{Xe�3��g71m( C
X^P~�D;ǎ5G{N�̚0/Pcw��0}��r[hP�;U�{aUh�� /�\1r.bL{y4�ɿ�T՝�L=iT�VC��;&�3ýtXF?D���c9��NRY R�k3ӂhY�lɧ9�]��o�ԏPL0H��<~0[� QE%$�7
�.nqO)'0/`=2}h�G�:a;6]�Uh?AWuomZV[u�ϙ!{֛i�]T],q"U-����wC��>�dPt�-2踑þ�ʲf
g�3nmަ[GR.ZpT*B~d�Mp}˴�&Neם[ѹyjP_vϮr$�([h
mI5M-u�u;�ާ;yԼ} �dm+5��UE`R�G$�_�S�::y\B�,=@F j��nE��KHOr�])2�1�,R#�w;ǃln\�:W~�:'g)7fٚY�J��d�T�Y1�LUi{i;'>gg�:�Q��ڟm3Hk�կz�O|iuHYz>54�0���V+%%�vdC�u{Br,�Od=h
. !�O}�fr2GrI/�o"���$�cM�|�Am�dƩ�$|Ǻ�z�N��lY^X�liJ5��f�!`F� 0sn5r'@ki��FkPY��T`k6�R\� 9lb�)6B̄H )&7jt M
XR�U��>I"E[fŢ˅B�!"xN3ˌE�!\J�!}!
g�|��8Jn.b?uKZ��fuٜ҅%]We�oQ#LK�\z�cOuMW~�?]tև�LqJ�j�p�X.B2iKB0qjjۛjRMWPT;*R85|�Qnl�2X��jXvR7X[A^݇`6 i��vڌz?i3�Ϩagfۉ9~��4$�AC66^lzK�4}j���>; ä��7X8<�c�O�v�/|�\aP���n#D�5�7
�l"�v|sc�м`y��na23fC?�F{7t$4�,/��{@`\@Z�8`�$8ʼ��E�]q�ksB�7}��`4F�&��QcSB�\j�JdN˕����] cRR,HH�t�"AђF��*�4� �gscX"C"'ǏA7;�.Vʥ�\.y"�m':Ν3Tr x&,R,BV-KᗄPf%i2mń(VFN��l�(0��Vf)F4~hN/a2*)WOSw�]�:6pȞc�>S�+EE.OLYZf<[�ꑪ+RY;l�� �ʸS�I͐6 [IF|t
|8.�MKϱ("}�r3�6O��
6 �8{y4!%6$N�?&BXiSt+@�Zl&�uTHbp=Pz˸h�Fq,@XĞ=�8]%�8sM^\X�Η�']9�g!@0o��ʱ���Luzh<
VشO:4wڳJ�)ՇYkkH
+BQQb?&i?怚H|A��2ex�L,Z`_9cDzlʠ�7�I�r]t)era�h��9&
ziD*��,Zag�+�F�5aϗaܧ^hL�v"5w�.Bā&h<.��[Ro==>8Ģ\Qۂ+6B`�Sքc'M}XtSykyW��>Ѐ�ap���"}����j�0�hsm�!�X` TU��S/V��_LQ0(TK�nƻhA�z-X]>L,�,@��ЧCkz]W9,#_'h�ho?]HjZX6C(JzTR*qVJwq�)4Ku@r�g}qs`ޝo�>4F�xP��Jo?�Cu�>tȕK-+)c�Z$ c?`��_�R�wU)ұ)N<:�a��r*-?M�έ�.�#��Џ]����Mt��Akߛ�,
�ܠYC�aϖҺR+�W,?A�@�ޯњ�N"0�.iYOT5)%U$jl|T�`Z:{>-L�H+��u�7�0�-�tpC)T뵢¾_Yn+�t�m(5#S
�#2�qg��rh)mf5�5�g"H5ysV�9y�]%��fZ+a1L*=:Y6AP,2ϣ�*+ZNۂe0&30�ʃz5c�;
[�LY�6z�ƚAFp56A�]��D wm>s7ѹtNkl �E?9dN u3��U�sf>���LV|�K6,^Jf;9Qo@Homs>1� ZH$;QKH07�$pk fP.T*E:k@"��a�]&�k꾬=M~qD�yC[Tޫ1�Ze�R/(SY-q'&F.҂^�S�f�vmv_&*|)2S�G�6Z|bR�.3GZy�+�jJH�Jz L�5|�5��C� 7P�kZ]#~g�$<@{EY,..m$UHU,UU\H�z, :.1X+(#t�+^��۹a
m.E<�9[ �1ķ�ʨTI^+�Gs;"ʌg�b|�q{q>'F{���l��j+jBgyr
`0O#[&IdYy�Vum4uX�"5H�~++*$Ԛ�kEI=N����h0iatA�*¾�G�.CGTTFog�A"WS[�U�5c���ɹT)j
b[-W+�>"�a�!`��T=(�{EO"p?l��V�z�솣d9#�T�`| @)c'd1s<6ɷo�fC?چ +�~W?l)ɑX�XD�>DQkf\{e"��nxb*�gF�Dccbh^f>A��%�_BQ`n�о(&w,OI�@�~5}ϼ1�V̶Ro~GQW
M=8;$EmS.�i{�O��0�fi^;.�y01�N 0�KKx��fq/R!)��X-u/Z�:Tc8�!�:gUރ�
�`i4Anx{D(}Fu{%g%U^~;�yt��p0Z�<�!hqo0]�8��K%y�;"ˎu�oл�< rDp�Bjw?\�(d�0
sri]g#6b��`
xѤȂ<"̔F<$]wFMT_�!u
Be\z5g��^|&�֒}UYr!sdQh�l�/Q��̚_�f|CAjΎx�P(� �� k@JA=�VohwWa�{k
D�-����b�ca�HF�rI'zRG�>gIř�O/PEQ�):�QrtH/ER�}CRB'T5˓$/+IYO)Eqhd*꒐~*~ i&'ءX�ґ۳�_.'8
$O�krwisq/P{a%yx2ű2k9�85(Au�N�H��qJiIw�3DJ^MjpVK�
ɏ�h� #:��3eh��Z��&
3�Rϗ{Uz*61@tm=O.�<�h;n�{
�GS
��e�Fon_apϲl^ta_}�b|;=F�'5�]{�H& D5}J�A0ف9~Dϝ̀(|�9Se>x>HАݙ�-p溟8#M[_Fa's�
]s�OA}i^wl'-U�FxB�J}~l/t6�D(yWe[{#Ȋ̅S.r!���FpZx>2�&\�%3��՛�wD/
ZR�o�14�L,*zj6;l-3�����'K��x<~�or�?0G OV�x�f79; 9��6@��Id3x�l|n�wkJljl�� 4�QbhLr�9٢h��r["�a'�FYOC,'��pIVܱ�S,*O_�O�o+N{kE�|;̔-u�\W�/5�%p M[k!/1�%]%�4y˭0LT�/7rFK[��^}l؏o%~!әi*2-]̭8[(y�y_�K�RȊ��L���k²y7lq.o>u�}[Hӭ�a_O*Fh��
~>`h%6�X\i>%���8'W60&~ 6UjP̍G�9d(;,D���SVRUr�L�Nn
�P6ʓ1?p#aB�ɂ2e�gi,�#YM���T� g]ik�JSuL$d6�#Erx�.}��#Vv:h2f�D����ȩ��/k� wIVX^�qa�U�Ѡİɸ>{v=B����E
zW��#�bc�'P6b�/�::Q
?
J#iv\Nb'5@-�~�2Rb��rH�ye.mu�hP0Q�kGԖxSʹ,M:�;�R"�@T 9[3m_}ci0lI��r*pG.H�\"bB�0QI�oH���`�/fDI⿇�TLz]
T4=�o0f@R�IQ&�eRR]s[RQqPE/pEK'S�LR�}��VK�(Rk�Dz}��Id}��b�)5mkVja[*�[EkeH|RmJv�\Kۑ�<�PB"(��
vHU�1��w✊�֜Sz)DV�F_nRSD[q�40ڤ`J�y�� U՚R-�L"'�L�0Q �&�`/EPO&No
eImˤ�Wo #<�H�ż.�Z#g���VR2�y��~��B�u'"$Î7w�c-[U^3ϖ:�,q/ػ,!&z[``p�vb�@�rH8� ��s�`^�'~vK�Bi�T}:YX|0���qX�×Zv`�f:�sChND0n�
W�Gh�I!8jy�//H/Dh=H8c$RNY^�GA³�roooo/UU0uKh�ה`)F4j;K�]&�]0g7�# ^^���E~yq+,C�3�kfn9/��._w>u;7R�SRI-�za|E=vǂy0~%`�+ǂ[*j}X�� o`�#�3m-��-i:�@6Oۨ��&k�͗A��dK�*S,Q;3�L�-�H�{Wi����D �W&λ��]jo�/�ʨҟ[=xT3��ݛ�B�@C;dПnrc,r`_DE�G0̳5b#���w
f�[Ls}:wwI��OppppzE�:Ы�Nk˾4p\)<�^/9c)SӷLb&C��� !�|��>q<��EBf5Δ�{=�M�:z�"�Vz
լA�cm�\_'n
\�ţ!{6�oZp�=W?�%4�C2ĚBa+I�iqlrG�3&e<�-~e!�=&�#b98\"O`I�\:�=_}4�|JMsLM�|3�槯]"R�Ɓ�{T[ݷ8[1XA̫MiY�꿓$yf�1��Fb�%1Y~�Gj�w�OQ5�@>&��i>�vExk~x0E|2�uL?2.Neã�E�Fp�
�
x[`�Y+
Z?�Fw@+U6^Gi�nb�,\��*@,va�u�)ȁ.bb�*1�ʱ, <ߋ!�Hy)ހyJ
Ye8.�.�ၽ�|�0Y>G�N$(�c�X�~==�-
EOO���h�\��c;jV]K�A/8�N $H{n1�㽻�n%5Dhc�v���H[5A\N{=�yJMh>#Ծ3=F��'b^m9S�lO0p�CA�+#iZ|fVؖ�mmq.]���fO)J %N0�Grٚmj��6A�@C�"T75|G*%_]G�x�9�*�VܞVk憝"_ÈV�R>fD9m���W2<,&�gL�x�a1aV
eզٝ$7�yg�_��ٿ[!ʃZ+=Jl~#�&=C*��5�;��/m[�Њ/=�oەɀ XPpC��MpP�(j- F��d�>�M��x\Lґu
Q`�< wz툘̥7f?= .M�8C���
roE�VIz# ,Ő ?ZED���"��IsꞓM3�ta�C�t樯Md�]:�}GL���#K8
S*�
���wOm�!'vQ]Q
s�ao�R�n(O�]
:�?�qa)��r��A�1H3vEVotn~�"fDRw/3O0�枩T}TdL4B&(qTi+$OcH��K�Djc�
]N*�@�[�`g*o���
c�n
Q&@Ĕ�v7U�I8�F�{-<)Y�\��X�ej��xp��x�m��)6lD
<���23�̋kR>ɖàFP8�Y|oby�LgA~\b�@Ԑ0�(J$Ѕ:�y,@#!��9ω�ŵy�kCa]NMݗYZ3AaP8�Z
��+z�jJP�&uO"3ʰ�LXQʉ7)ޯ�;�eUu�=M蕴Ba�`x�FNRsdhhz?;�v@|
LBz،\^!Xf39]�9tHq{5.qwG�}��RKG٩;ǽe{9`I a&hT_sme |Q);OFY�uavʜPδ��ͅfU�,x�j�y�^/J��M83'Q~�o�E_VCT�Ĩ�~0XB/K̰�NfS+�t�7Пgg:,1]r��ZO-�6Ak��Im>4rUN>M�o���
)ns9�e'�MjV}Qu�xQ3Q�Q~
OZ�2ʑ�@v'�O֗�}N3�!�>Bg\5r_7^fC�k(�ח��05/2��_d�^d�sA�"��ϋ��O�/?A3(?(�-�/2a|/3�2C~.a.3Ư�e�z_z�
*?3�3������#��埲�O�}�}ʠ
d�d
M�%:Iʘ!g+\8=r �gs�~)W@_d_�y*%iFy�3Y���+f/_+ʠsk=�
Я!�dnleҽ:鵓
aq)�z�^U^xڙipۭ]��hwp_l(%^a/��^敽I<$x��GW4<< X)rnm��z�P�[Йqe@ޢD�)+F�yk@�ǑY�{�zY~8=has;̞�^�e|xa�Qd,1h(x�4|s&pN!3J81�|
H-M�ԳpNR�?Ѱs�3@�t5^i{�sn �M]C�ꖉ�$
s#RRՒRJZVrG%Hd�6=8 "2��fDQe �jr�o9�Z)˥*D`q9#�T�x|D��emګ.�91C=b�{hǬ[ɖ^c(wp
E���У��46˘V͛YȌ�N�E5//��{_۱�B��
�R1��1@ͽe^*q0*j>b%Q<8sh�
mf��..eа!�,%sv[z0�
�|wP�3|�Yڠ`ƹr�2@���z4}�z<8~ü'�x-�7�:\A>ދtɌB΄[4�пCs%(u5H
50=_ou�'�"F;BλNח/�ɱw�|!;0BkNY?�/��C弡|ˉ�K�;-�,0�G)X1i����!�;�i,�>K?X
v7i:{ua-̸&�,C a3 ӮSh�ꐁsȎ=����qBp|5h_u�4b�
V$ǖ1x_%05�^�JS�g#3��B;/a�o�A+�_wa�˙���Z�.�S@8>�cc6H_,m�grlC�k:�nܙexn��"�d`Y�-qS�JxufB~Ʈ.'��9+w�o�t&��|2�f;�W ^v
6�Iϐ�R8�K9�#`V�n,='�IDπj���UMf@gQl)VxRD�n뭻+0\d�~\g;elnԕah��"�E�a'�_C |�a�'R1<�zH|k,X̨T�*L[�
|�IGAM6�_wsԶeEQ&PL��®�)JqK;y�HR͠O�*9�9"Ź
oPm
b/�yJ>?��T|-
5�\6LDRw��}J�0~N]�jV0N@9DEP�Sn�c.Lc(ŬBCd��=�)O?'[nI
5E`0v`ehDSL/Tvy*s*>�% �/� �ix�E �C2z
l|$_Oxƪ~Saxr=&=�з��57b�([|�ӼǼÿ�ˍt�_d%�\!d�3@FWD0;"����ZYc,�KE�%&(Xp\'AΙ3;>k`2\�X�G�x
k�ok3gz��Ϸ;���<�v7�s#+_2qN`WH{�XiW��w=S.u�7tleb�@�JF�� >D7#D*|�X^c �0У,*0�?ws::hՆG���X�Ǹ[�[)�qy6` <Щ0DM.vj]�nFQa#�®54-���v�ѩ���ߩ�n^3QaW_<�tcbS,$Il}
r�a�lX���^|M�wϏq�`2[uoz�ڧ[8K�IJ��y2 !δZxyU~ҥ�^�.I,g`cQd+8*)�ؐ��s���k`4bOP��1,F,�o�ԛ'T�S*�4.v>ϝ?^9?r�Ϣq9qGg#^HVw9.�^^5F�ElT$bB}�Ay4O~ւ!�gn耵�]~-&Sǂ!0ѕD1F(g,1�.f� Ax��=`#hxj<���nh1)�d'kI���'�'�R!la,�9�r3 ;Ej F.�t1��R04xq�Ba��ʩȩ(v�}_|J�Ѭd�;j�+sGO{
|>"�:xqea���Vt*N�睥 P.�i{TO34[;��?;��otˌ�hT*.㉋o:�g�'u��F�{�/RXBYzhI:v'
AHcZvC"^ֳ���~s Whc<�[Wy�&F�{5Vj"<&o�(FҢΰ
\岞�ZqKmN�~늘p6JL?-۔9MR"G�Zi/%!zR4��fr0>d֎�V&|Ʒ�Z2cˤ_�l?'��
|
Network Security & Hardware 
