Security have warned about a new Web browser security hole which could allow scammers to launch phishing attacks from pop-up windows on trusted websites.
The vulnerability affects almost all browsers, including Internet Explorer, Mozilla, Firefox, Opera, Konqueror, Safari and Netscape.
It arises when an Internet user opens browser windows for both a legitimate website and a malicious site at the same time. Because of an old functionality in most browsers, the malicious site can potentially display information in a pop-up window from the trusted site, according to Secunia. The vulnerability has yet to be exploited but could present a very effective method for launching online fraud scams, Secunia CTO Thomas Kristensen said.
While most users do not intentionally visit malicious websites, they often stumble upon them by following links, making it relatively common for Net surfers to have browser windows open for both legitimate and malicious sites at the same time, Kristensen said.
This could be a particularly dangerous situation if exploited to display misleading information on a pop-up window from a legitimate bank website, for example, he warned. Even if savvy users check for a the yellow "lock" icon on a site, signifying encryption, the pop-up could still display content from the malicious site, he said. "This could be a surprisingly effective way to seduce or trick people into doing something," Kristensen said.
Secunia went public with its warning yesterday. It had alerted browser vendors of the vulnerability months ago, it said. Kristensen acknowledged that by going public with the warning he was also alerting Internet scammers to a new opportunity, but said that he felt the public should be aware of the threat since not all browser vendors had been responsive.
"We thought it would be better to openly talk about this and we are giving advice on how to mitigate it," he said.