Phishing Websites Can Exploits Browser Flaw

Browser phishing 'flaw' could hook users

Robert Lemos, Staff Writer, CNET News.com
Published: December 8, 2004

A function built into all major browsers could be co-opted by attackers to fool Web site visitors into surrendering sensitive information, a security firm warned on Wednesday.

The issue, which security firm Secunia labeled a flaw, could allow a malicious Web site to refer visitors to a legitimate site--such as a bank's Web site--and then control the content displayed in a pop-up windows. The issue affects Microsoft's Internet Explorer, the Mozilla Foundation's Mozilla and Firefox browsers, Opera's browser, the open-source Konqueror browser and Apple Computer's Safari, the firm stated in advisories on its site.

"No browsers warn or check if the other site is allowed to change the content of the pop-up window," Thomas Kristensen, chief technology officer for Secunia, said in an e-mail to CNET News.com. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site."

Microsoft said that the attack uses a legitimate feature of browsers to fool users. "Our initial investigation has revealed that the report describes a by-design behavior in all popular web browsers that allows a website to open or re-use a window without displaying the address bar, which is a trust mechanism built into web browsers," the company said in a statement sent to CNET News.com. Apple, the Mozilla Foundation and Opera could not immediately be reached for comment on the issue.

Microsoft stressed that Windows XP users who have installed Service Pack 2 have some anti-phishing tools. Any window that asks for log-in, financial or personal information should be encrypted and display a lock icon in the status bar at the bottom of the window, Microsoft said in a statement.

However, Secunia said that the browser makers [may] miss the point. Most users won't notice small details like that if they believe they are at a legitimate site.

"The browser vendors fail to take into consideration the change of malicious activities on the Internet and the fact that security holes, which can be exploited to automatically install malicious code, isn't the only thing to be concerned about," Kristensen said.

Secunia advised Web surfers to have only one Window open when you browse sensitive sites such as banks and Web stores.