26 de mai de 2010

Tabjacking: a new and ingenious phishing attack

Tabjacking: a new and ingenious phishing attack: "
Filed under: , ,

By now, all but the most geriatric Web users know about phishing. Usually it takes the form of a seemingly-official email from a bank or other money-related Web service. Most of the time these attacks are painfully obvious -- but what if you removed the email attack vector? What if you removed those daft give-away URLs? What if the phishing attack was pure, seemingly-benign JavaScript that's invisible to all but the most judicious of Web users?

That's exactly what 'tabjacking' does. Open Aza Raskin's proof of concept in a new tab. Admire the sample code. Now, change tabs, wait five seconds, and then watch in horror as his site seemingly becomes GMail.

Malicious JavaScript injection isn't a new thing -- and this particular exploit only works in Firefox (and partially in Chrome) -- but you have to admit it's pretty damn scary. It's certainly only a matter of time until workarounds are found for the other browsers -- and the implications when combined with targeting 'hacks' such as CSS history mining are petrifying.

You wouldn't have to hack the site to inject the JavaScript either: an add-on or extension would work just as well...

If you're like me, I always check the address bar before typing a sensitive password. I'm not actually sure what I'll do, now that tabjacking code is in the wild.

As Aza says, it's high time we move to browser-based authentication solutions like the Firefox Account Manager."

Nenhum comentário:

Postar um comentário