JavaScript-Enabled Spoofing Attacks
Ed Felten at Princeton University notes that people are constantly making security-related decisions. To make these decisions, people use contextual information provided by their computer. For example, when a user dials in to a computer, the user knows to type her dial-in username and password. At the same time, most users know to avoid typing their dial-up username and password into a chat room on America Online.
The combination of Java and JavaScript can be used to confuse the user. This can result in a user’s making a mistake and providing security-related information to the wrong party.
Spoofing Username/Password Pop-Ups with Java
When an untrusted Java applet creates a window, most web browsers label the window in some manner so that the user knows that it is unsecure. Netscape Navigator, for instance, will display the window with the message “untrusted applet.” The intention of this labeling is to alert the user: users may not wish to type their login usernames and passwords into a window that’s not “trusted.”
When an applet runs inside a browser window itself, no such labeling takes place. A rogue HTML page can easily display an innocuous background and then use a Java applet to create a traditional web browser username/password panel. The applet can even detect an attempt to drag the spoofed “window” and make it move on the page appropriately. The user can’t determine the difference unless she tries to drag the window outside the ...
Get Web Security and Commerce now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
