I want to make everyone aware of this dangerous ability provided within Microsoft Internet Explorer (and possibly other browsers) with a correctly coded browser script it is possible to "hijack" default browser shortcut keys (such as CTRL-N (New Window). CTRL-F (Find) and replace the standard behaviour with a scripted behaviour).
THIS IS A HUGE SECURITY LOOP HOLE.
Imagine, you search on Google and alight upon a likely looking search result. You goto that page and then decide you want to move to a new browser window, you hit CTRL-N and, unknown to you, the script on the page intercepts your request and opens up a new window in its own script injecting its scripted functionality into the new window (perfectly possible). Now, unless your very familiar with the working of your browser your not aware your still in a page controlled by scripts from your previous page. It would be potentially dangerous to proceed to login to your email.
It admittedly would be hard to make an "exploit" which would not be noticable by someone familiar with browser technology but easy to trick the non-technical user.
This kind of irresponsibility I find really annoying. Having these kinds of features. An external source should not be allowed to override innate features of your browser (for example, although pages should have the ability to know when they are closed. They should not have final executive control of wether the close can be allowed, the page should mearly be notified of proceedings and proceed to obey the user.
However, theres money in taking control away from the end user and theres loss in fixing it.
Sunday, 10 April 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
What do YOU think?