Pop-up Loophole Opens Browsers to Phishing Attacks

A malicious site could insert its own content into a pop-up window on even trusted sites, making fraudulent content appear genuine, warns security firm Secunia. Browser vendors have yet to issue patches.

Security firm Secunia has warned that most Web browsers are vulnerable to a simple "phishing" technique that could make fraudulent content appear genuine.

The Copenhagen, Denmark, company on Wednesday published five advisories on the issue, covering fully patched, standard versions of Internet Explorer, Firefox, Opera, Konqueror and Safari. Secunia also published a demonstration allowing users to test their browsers. The test appeared to work on both Windows and Mac OS X platforms.

The problem is in the way browsers handle pop-up windows, which are used by many trusted sites such as banks. Because browsers arent designed to check whether another site is allowed to change the content of a pop-up window, a malicious site can insert its own content into any pop-up window, as long as the target name of the window is known, Secunia said.

In the example, a pop-up window launched by Citibanks site instead displays content inserted by Secunias demonstration page. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site," said Secunia Chief Technology Officer Thomas Kristensen in an e-mail interview.

Secunia contacted the browser vendors before publishing the advisories, but so far none has issued patches or estimated when it might do so, according to Kristensen. "They consider it to be very basic functionality in the browser, which has been around for several years," he said.

But such design loopholes are now becoming more dangerous, with the huge rise in the frequency and sophistication of phishing attacks, Kristensen said. "Security holes that can be exploited to automatically install malicious code arent the only thing to be concerned about," he said.


For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

In July, Secunia demonstrated a similar flaw in the basic design of most Web browsers, which allowed a malicious site to load content into a frame in a trusted site. The vendors of the affected browsers—Opera, Internet Explorer, Safari, Konqueror and Mozilla—have since issued patches.

Phishing attacks have become a serious danger since emerging onto the scene about 18 months ago, with 1,974 unique attacks reported to the Anti-Phishing Working Group in July—up 20 times from the previous December. More than a dozen separate attacks were launched on Veterans Day alone, with Citibank, eBay Inc. and other financial institutions being the most common targets. Experts estimate that somewhere between 5 percent and 10 percent of people who receive a phishing e-mail will eventually fall victim to the scam.


Check out eWEEK.coms for the latest security news, reviews and analysis.