Tabbed Browsers Can Disclose Confidential Info

Welcome Guest. | Log In| Register | Membership Benefits

October 21, 2004 (3:53 PM EDT)

Tabbed Browsers Can Disclose Confidential Info

By Gregg Keizer ,

New vulnerabilities in virtually every non-Internet Explorer browser give hackers a way to hijack confidential data entered into Web sites, a security firm warned late Wednesday.
The flaws, which affect the Mozilla/Firefox family of browsers, Opera, Apple's Safari, AOL's Netscape, and the Linux-based Konqueror, open up a spoofing avenue that attackers can exploit to rip off information, said Secunia in an advisory.
All these browsers offer tabbed windows, a feature that lets users quickly load multiple pages or Web sites, then flip between them. Unfortunately, the vulnerabilities allow hackers to launch dialog boxes from one tabbed window but make it seem as if it's actually appearing in another. The other bug allows a site open in one tab to grab information typed into forms on a site open in a second.
The hack needs some help from the user, said Secunia. "Successful exploitation would normally require that a user is tricked into opening a link from a malicious Web site to a trusted Web site in a new tab," the alert read in part.
Secunia posted a demo of the vulnerabilities that shows how entering data in one site--in the example, it's a Citibank log-in site--can be snatched by another site open under another tab. The end user entering his or her password to, say, an online banking site, would have no idea that the characters typed are actually being captured by the rogue site, not the bank's.
Among the affected browsers are Mozilla 1.7.2 and 1.7.3, Firefox 0.10.1, Opera 6.x and Opera 7.x, Safari 1.x, Netscape 7.x, and Konqueror 3.x.
Some of the flawed browsers have already been repaired or will be fixed shortly. Konqueror, for instance, closed the vulnerability in the version shipped with KDE 3.3.1, while the newest versions of the Mozilla/Firefox browsers have been patched against the second of the vulnerabilities. Opera said it will correct the issue in the upcoming version 7.60 (the current version of Opera is 7.54).
According to Secunia, users should either disable JavaScript within their browsers, or not visit trusted Web sites--such as financial institutions or retail sites--when tabs showing untrusted sites are also open.
The fact that browser vulnerabilities seem to be making the news more frequently isn't a surprise to analysts.
Last month, when Symantec issued its twice-yearly status report on Internet security, it noted that browsers make good targets because they're ubiquitous and easy to exploit.
"Almost 40 percent of the vulnerabilities we're seeing are against the Web client side," said Vincent Weafer, the senior director of Symantec's security-response team.
"And the for-profit motive has definitely been on the upswing among hackers," he added. "In fact, the whole malicious code problem is about stealing information."