Pop-up phishing flaw hits browser security

Security firm Secunia has warned that many popular web browsers contain a vulnerability that could be used by cyber criminals to steal personal data.

In an alert published on Tuesday, Secunia said the flaw would allow a phishing attack where a malicious JavaScript pop-up window appears in front of a trusted website. This could trick a surfer into revealing data such as their password.

Secunia said: "The problem is that JavaScript dialogue boxes do not display or include their origin, which allows a new window to open - for example, a prompt dialogue box - which appears to be from a trusted site."

According to Secunia, the latest versions of Camino, iCab, Internet Explorer, Internet Explorer for Mac, Mozilla, Mozilla Firefox and Safari are all vulnerable. Opera 7 and 8 are affected but not 8.01, according to Opera.

To take advantage of the flaw, a cyber criminal would have to direct a web user from a malicious site to a genuine, trusted site such as an online bank, in a new browser window. The malicious site would then open a JavaScript dialogue box in front of the trusted website, and a user might then be fooled into sending personal information back to the malicious site.

Microsoft has said it is investigating Secunia's claims. It encouraged surfers not to trust pop-up windows that don't include an address bar or a lock icon that verifies it came from a certified source.

Mozilla Firefox developers have already been making moves to combat this kind of phishing attack. Back in April a patch was developed that allows users to block Java and Flash-based pop-ups unless they came from trusted sites. Mozilla wasn't immediately available to comment on Secunia's claims.

Opera confirmed on Wednesday that its latest browser, 8.01, would display the pop-up's origin, letting a user inspect its URL to see if it came from a trusted site.

Christen Krogh, Opera's vice-president of engineering, told ZDNet UK: "Once these things are discovered, there's a rush as everyone tries to fix the problem."

Krogh also pointed out that Secunia had rated the vulnerability as "less critical".

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

Graeme Wearden writes for ZDNet UK