A new browser flaw could allow attackers to trick users into giving up sensitive information such as passwords. The flaw is unusual in that it affects every mainstream browser, and can be exploited on the Mac OS X operating system as easily as on Windows, said security company Secunia.
Because of the way most browsers handle JavaScript dialogue boxes, it isn’t clear which site a dialogue box originates from, Secunia said. An untrusted site could direct a user to a secure site such as a bank, and then cause a dialogue box to pop up in front of the banking site’s window.
If users entered their password information, the data would be sent to the attacker, Secunia said. “Successful exploitation normally requires that a user is tricked into opening a link from a malicious web site to a trusted website,” the company said in its advisory.
The flaw has been confirmed in Opera, Safari, Mozilla-based browsers, iCab and Mac and Windows versions of Internet Explorer. As of Wednesday only Opera had issued a patch, in version 8.01. The bug has been fixed in the beta of iCab version 3.0.
Secunia published a test to demonstrate the flaw.
Microsoft confirmed that Explorer was vulnerable, but said it has no plans to distribute a fix. “Customers who already follow our general guidance about avoiding spoofing and phishing attacks are at reduced risk of being affected by this issue,” Microsoft said in an advisory.
Spoofing flaws such as these become increasingly dangerous as they are exploited by scammers to siphon off users’ personal information. Despite the wealth of publicity around such scams, they remain surprisingly effective, according to security experts.