[Previous entry: ""] [Main Index] [Next entry: "Karl Rove Photo"]

10/20/2004 Archived Entry: "multiple browser security flaw"

Heads up: for an unusual change, here's a security warning that affects almost every web browser except Internet Explorer. This includes Netscape, Mozilla, Opera, Konqueror, and Safari...basically any browser that supports "tabbed browsing", under any operating system. Yes, even Linux.

How it works: It's possible for a hostile web page to include a link to another, legitimate web page, but then the hostile page can pop up its own dialog box on the legit page. So the hostile (but innocuous-appearing) page could give you a link to, say, your bank, and then pop up a box asking for your account number and password, which would be sent to the hostile page (not the bank page that you're viewing).

It's easier to see this than to describe it: you can test your browser at Secunia.

This appears to be a fundamental flaw in Javascript. Short of disabling Javascript (which disables many web pages), your only workaround is to be cautious. As Secunia says, "Don't visit trusted web sites while visiting untrusted web sites." Always be suspicious of links on untrusted sites; when you're going to your bank or eBay or any other secure site, always open a new browser window and type the address in yourself. The safest approach would be to close the browser, and then relaunch it with a single tab, and then go to the secure site. Or use one browser for your "secure" work, and another for your casual browsing.

Microsoft users, you don't need to feel left out: Internet Explorer has two new security flaws of its own today.

brad