Most browser pop-ups open to hijack

Security researchers have warned of a vulnerability in most web browsers that could let scammers launch phishing attacks from...

Security researchers have warned of a vulnerability in most web browsers that could let scammers launch phishing attacks from pop-up windows on trusted websites.

The vulnerability arises when an internet user opens browser windows for both a legitimate website and a malicious site at the same time. Because of an old functionality that exists in most browsers, the malicious site can display information in a pop-up window from the trusted site, according to Secunia Research.

Secunia chief technology officer Thomas Kristensen said the vulnerability had yet to be exploited but could present a very effective method for launching online fraud scams.

While most users do not intentionally visit malicious websites, they often stumble upon them by following links, so internet surfers can have browser windows open for both legitimate and malicious sites at the same time.

Kristensen warned that this could be a particularly dangerous situation if exploited to display misleading information on a pop-up window from a legitimate bank website, for example. Even if savvy users check for the yellow "lock" icon on a website, signifying encryption, the pop-up could still display content from the malicious site. 

"This could be a surprisingly effective way to seduce or trick people into doing something," Kristensen said.

According to Kristensen, the vulnerability affects almost all browsers, including Internet Explorer, Mozilla, Firefox, Opera, Konqueror, Safari and Netscape.

Secunia issued its warning this week, saying it had alerted browser suppliers of the vulnerability months ago.

Microsoft said yesterday that it had investigated the report, and users of Windows XP SP2 who followed its advice on spoofing attacks were at a reduced risk. 

Microsoft said SP2 users would see a status bar in the pop-up window, allowing them to look for the yellow lock icon and confirm that the site was valid. The vulnerability described by Secunia comes from a website opening or re-using a window without displaying the address bar.

Opera has also included measures to mitigate the vulnerability in the latest beta version of its software.

Kristensen acknowledged that by going public with the warning he was also alerting internet scammers to a new opportunity, but said that the public should be aware of the threat since not all browser suppliers had been responsive.

"We thought it would be better to openly talk about this and we are giving advice on how to mitigate it," he said.

Scarlet Pruitt writes for IDG News Service

Read more on Hackers and cybercrime prevention