Staff Writer, CNET News.com
A function built into all major browsers could be co-opted by attackers to fool Web site visitors into surrendering sensitive information, a security firm warned on Wednesday.
The issue, which security firm Secunia labeled a flaw, could allow a malicious Web site to refer visitors to a legitimate site—such as a bank's Web site—and then control the content displayed in a pop-up windows. The issue affects Microsoft's Internet Explorer, the Mozilla Foundation's Mozilla and Firefox browsers, Opera's browser, the open-source Konqueror browser and Apple Computer's Safari, the firm stated in advisories on its site.
"No browsers warn or check if the other site is allowed to change the content of the pop-up window," Thomas Kristensen, chief technology officer for Secunia, said in an e-mail to CNET News.com. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site."
The company has created demonstration that takes advantage of the flaw on its Web site. The example sends a user to Citibank's Web site, where clicking on the image opens a pop-up Window that is controlled by Secunia's program.
Microsoft said that the attack uses a legitimate feature of browsers to fool users.
"Our initial investigation has revealed that the report describes a by-design behavior in all popular web browsers that allows a website to open or re-use a window without displaying the address bar, which is a trust mechanism built into web browsers," the company said in a statement sent to CNET News.com.
Apple, the Mozilla Foundation and Opera could not immediately be reached for comment on the issue.
The hack of a legitimate feature is the latest security threat that could help phishers wrest identity information away from consumers. Last month, online intruders breached the security of at least one server at advertising host Falk and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site. Other flaws, together with mass e-mailing of links pointing to a malicious Web site, have been used to get aggressive advertising software, known as adware, installed on victim's computers.
Microsoft stressed that Windows XP users who have installed Service Pack 2 have some anti-phishing tools. Any window that asks for log-in, financial or personal information should be encrypted and display a lock icon in the status bar at the bottom of the window, Microsoft said in a statement.
"Some phishing cons have shown users a fake lock icon in a fake status bar at the bottom of the browser window," the statement said. "Internet Explorer in Windows XP SP2 will always show the real status bar so that users can detect a fake lock icon from a real one."
However, Secunia said that the browser makers miss the point. Most users won't notice small details like that if they believe they are at a legitimate site.
"The browser vendors fail to take into consideration the change of malicious activities on the Internet and the fact that security holes, which can be exploited to automatically install malicious code, isn't the only thing to be concerned about," Kristensen said.
Secunia advised Web surfers to have only one Window open when you browse sensitive sites such as banks and Web stores.