This really scary because people can go to legitimate sites and have the popups hijacked. A demonstration of the flaw is at the following site http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ Pop-up Loophole Opens Browsers to Phishing Attacks Wed Dec 8, 6:52 AM ET Technology - Ziff Davis Security firm Secunia has warned that most Web browsers are vulnerable to a simple "phishing" technique that could make fraudulent content appear genuine. The Copenhagen, Denmark, company on Wednesday published five advisories on the issue, covering fully patched, standard versions of Internet Explorer, Firefox, Opera, Konqueror and Safari. Secunia also published a demonstration allowing users to test their browsers. The test appeared to work on both Windows and Mac OS X (news - web sites) platforms. The problem is in the way browsers handle pop-up windows, which are used by many trusted sites such as banks. Because browsers aren't designed to check whether another site is allowed to change the content of a pop-up window, a malicious site can insert its own content into any pop-up window, as long as the target name of the window is known, Secunia said. In the example, a pop-up window launched by Citibank's site instead displays content inserted by Secunia's demonstration page. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site," said Secunia Chief Technology Officer Thomas Kristensen in an e-mail interview. Secunia contacted the browser vendors before publishing the advisories, but so far none has issued patches or estimated when it might do so, according to Kristensen. "They consider it to be very basic functionality in the browser, which has been around for several years," he said. But such design loopholes are now becoming more dangerous, with the huge rise in the frequency and sophistication of phishing attacks, Kristensen said. "Security holes that can be exploited to automatically install malicious code aren't the only thing to be concerned about," he said. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog. In July, Secunia demonstrated a similar flaw in the basic design of most Web browsers, which allowed a malicious site to load content into a frame in a trusted site. The vendors of the affected browsers—Opera, Internet Explorer, Safari, Konqueror and Mozilla—have since issued patches. Phishing attacks have become a serious danger since emerging onto the scene about 18 months ago, with 1,974 unique attacks reported to the Anti-Phishing Working Group in July—up 20 times from the previous December. More than a dozen separate attacks were launched on Veterans Day alone, with Citibank, eBay Inc. and other financial institutions being the most common targets. Experts estimate that somewhere between 5 percent and 10 percent of people who receive a phishing e-mail will eventually fall victim to the scam.
