Our friends at Danish security research firm Secunia demonstrate how JavaScript is not your browser’s friend.
A less-critical vulnerability regarding the potential for spoofing scams utilizing JavaScript has been disclosed by Secunia.
And due to the way JavaScript works, all browsers that support it, including the forthcoming Firefox 1.0.5, can be victimized by the vulnerability.
According to Secunia, JavaScript dialog boxes do not display or include their origin. A malicious site can open a dialog box while making it appear to come from a trusted site. Secunia recommends that users not browse trusted and untrusted sites at the same time.
The exploit would require a person to first visit a malicious site, the sort that a phishing e-mail would deliver as a link. After going to the bad site, a user would be redirected to a legitimate site, either by clicking a link or simple redirection.
But the bogus site would then toss up a JavaScript dialog box, and anything the user enters there would be captured by the fake web site.
For users of tabbed browsing, like that in Firefox or the new MSN toolbar service for Internet Explorer, users who have to work with a bank or credit card site, or when making an online purchase, should only have a tab open for that site.
Mac users shouldn’t ignore this warning. Safari browsers also can be vulnerable to this issue, since it is specific to JavaScript and not a particular operating system.
Secunia has previously discussed this vulnerability.
David Utter is a staff writer for murdok covering technology and business. Email him here.
