Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Vulnerability Affects All Browsers

samzenpus posted more than 9 years ago | from the everything-equal dept.

Security 945

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"

Sorry! There are no comments related to the filter you selected.

Doesn't work for me (0)

Anonymous Coward | more than 9 years ago | (#11038605)

With Firefox 1.0. I suspect it may have something to do with Tab Browser Extensions [sakura.ne.jp] .

Re:Doesn't work for me (1)

Spruce Moose (1857) | more than 9 years ago | (#11038613)

Me neither, and I don't have the tab browser extensions. All browsers my butt!

Re:Doesn't work for me (4, Informative)

TheViciousOverWind (649139) | more than 9 years ago | (#11038751)

Funny, I've tried this in Internet Explorer 6.0 and Mozilla 1.7, but I could only get it to "work" in Mozilla.

In Internet Explorer I pressed "With popup-blocker" (Google Toolbar) and up came Citibank, then I pressed the Fraudulent E-Mail button, and up came CitiBanks popupwindow, first when I closed the popupwindow the "This was hijacked" window appeared (as if triggered by the window.onclose function) but that does not strike me as a gigantic security-hole.

Of course the issue in itself is scary, but I'm confident the Mozilla team will have a patch out in no time.

This should probably serve as a reminder to webmasters out there, that if you want users to trust content you provide in popup-windows eg. for creditcard payments, you should provide the address-bar, and if the creditcard processing takes place on another server, explain to the customer before he clicks "pay by creditcard" why the window will load from another server.

FP CLIT EAT MY SHIT (-1, Troll)

Sexual Asspussy (453406) | more than 9 years ago | (#11038608)

,ououououououououo.
o YOU MAY HIJACK o
u MY RECTUM FOR u
o A SMALL FEE o
u (like 911 lol) u
ouououou. .ouououou'
l l _|/
l l ." ".
l l /(o)-(o)\
/_)ll / )
l_)ll '- o . .
\_)l\ '.___.' / |\/|_.
l l \ \_/ / ._| '/
l_l\ \.___./ \ ) /
\ \_/\__/\__ l==l
\ \ /\ /\ `\ l l
\ \\// \l l
`\ /\ l / l
; ll l\____/
l ll l

any fixes (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11038609)

available yet?

Sniff, our little browser's all grown up... (2, Insightful)

coupland (160334) | more than 9 years ago | (#11038611)

Thank goodness we've found our first vulnerability in Firefox. Now we can move from the myth that free software is impervious to exploits, and into the reality that vulnerabilities are acknowleged and patched faster in most free software projects. Gentlemen, synchronize your watches. Will the Firefox team have a fix out before Microsoft even admits it's a bug?

Re:Sniff, our little browser's all grown up... (1)

superpulpsicle (533373) | more than 9 years ago | (#11038640)

It was on some other site where I saw my first popup appear in firefox the other day. It was just a matter of time before firefox team needs to hit the firedrill again. Still far less than IE though.

Re:Sniff, our little browser's all grown up... (5, Insightful)

Indy Media Watch (823624) | more than 9 years ago | (#11038662)

Now we can move from the myth that free software is impervious to exploits

Uh, who was saying that?

Re:Sniff, our little browser's all grown up... (4, Insightful)

Frogbert (589961) | more than 9 years ago | (#11038696)

What are you talking about? Firefox has always had bugs, why do you think we get security updates? The difference, as we will soon see, is that the Firefox will have a patch weeks, or perhaps months before IE.

Re:Sniff, our little browser's all grown up... (2, Interesting)

Anonymous Coward | more than 9 years ago | (#11038705)

Firefox has already had several vulnerabilities, like the fake chrome site problem [virus.org] that let a misbehaved person fake an entire browser window (including all the security controls) using XUL. In that particular case, the reporter grew frustrated that his bug reports went unheeded for years in Bugzilla; he only got his way by making front-page news.

Mozilla, being an organization that develops an application collectively, falls prey to committee thinking. If enough people can shout you down on Bugzilla, your opinions don't matter and you get disillusioned.

The only worse part is that IE eliminates the middle man: bug reports to Microsoft are almost always met with silence instead of Mozilla's "Marked as DUPLICATE of a WONTFIX bug" responses.

Re:Sniff, our little browser's all grown up... (0)

Anonymous Coward | more than 9 years ago | (#11038720)

I don't know were you've been living, but firefox is no were near to being invunerable. There have been several fairly serious security flaws in the past.

Of course the difference between Firefox and IE is the frequency, seriousness, fix time, and fix quality. All of those go dramaticly in Firefox's advantage.

That's why it's important to keep Firefox up to date, even though it's much superiour to IE. There is a way to automate and/or indicate when it's time to do a update for firefox.

Not the first Firefox vulnerability (4, Informative)

Chuck Chunder (21021) | more than 9 years ago | (#11038723)

The first since 1.0 maybe, but certainly not the first [secunia.com] outright.

As far as I can tell the problem is fixed in the latest Opera beta so they might be able to get it into a proper release pretty soon too.

Re:Sniff, our little browser's all grown up... (1)

dnoyeb (547705) | more than 9 years ago | (#11038731)

Is this a fault with the browsers, or the scripting language?

Re:Sniff, our little browser's all grown up... (4, Funny)

kaiser423 (828989) | more than 9 years ago | (#11038733)

No, it's still impervious, the exploit didn't work on my system. Sorry, OSS still has a 100% perfect, virignal, like freshly-fallen snow track record. /sarcasm No one ever said any of those things, and I doubt that anyone believes them, so get off your high-horse.

Re:Sniff, our little browser's all grown up... (1)

IANAAC (692242) | more than 9 years ago | (#11038747)

I guess I'm missing something. I'm using Firefox 0.10.1 and did not have any problems. I'll have to try 1.0 later on both Windows and Linux, but 0.10.1 seems fine. No hijacking.

Did not work on FF1.0 in XP (1)

gad_zuki! (70830) | more than 9 years ago | (#11038764)

Tried a few times and nothing.

I don't get it (1, Informative)

corby (56462) | more than 9 years ago | (#11038615)

I am running Firefox 1.0. I tried the link that said 'With Pop-up Blocker', and it displayed a dialog saying that I did not have a pop-up blocker.

I refreshed the page, and tried the link that said 'Without Pop-up Blocker'. It opened up the Citibank website, but it did not hijack my Citibank popup window.

Same thing happened to me under IE6 (except I did not get the dialog when I clicked on the 'With Pop-up Blocker' link).

Maybe it works under certain circumstances, but I couldn't reproduce it.

Re:I don't get it (2, Informative)

serps (517783) | more than 9 years ago | (#11038638)

The exploit worked for me (FF1.0 win2k). I clicked on the "with popup" link, FF blocked a popup, but a new window spawned with Citibank. I clicked on the link I was told to, and up came the 2nd hijacked popup.

Re:I don't get it (1)

liquidpele (663430) | more than 9 years ago | (#11038645)

I'll verify that. I didn't work for me either. Not in firefox, and not in IE.
Perhaps they're running win98?

Re:I don't get it (0)

Anonymous Coward | more than 9 years ago | (#11038646)

I just tried it under Epiphany and it works exactly as mentioned in the site. Very, very scary.

Re: Mozilla 1.7.3 no problem (0)

Anonymous Coward | more than 9 years ago | (#11038648)

Mozilla 1.7.3 no problem

Re:I don't get it (0)

Anonymous Coward | more than 9 years ago | (#11038653)

With my firefox (on OS X) the first link didn't open any dialog ... while the second one caused the first browser frame to advance to a page claiming that Secunia hijacked the popup dialog. But there was no popup for Secunia to hijak.

???

Re:I don't get it (5, Informative)

Caine (784) | more than 9 years ago | (#11038654)

Did you actually follow the instructions? That is: Did you click on the image on the citibank-page, thereby giving you a third window? It doesn't sound like it from your comment.

And the exploit worked just 'fine' on my firefox 1.0.

Re:I don't get it (4, Informative)

Frizzle Fry (149026) | more than 9 years ago | (#11038713)

The fact that everyone is confused is an indication that their instructions suck. "Step one" is click on a link in the citibank site that you haven't visited yet. "Step two" is actually visiting the citibank site. And then "step three" is a no-op; the space for that step is instead used to discuss whether you are vulnerable. (Presumably, step five is "profit!!!"). Who came up with this and what planet are they from where this is a logical sequence of instructions?

Re:I don't get it (0, Redundant)

trythil (444488) | more than 9 years ago | (#11038655)

I'm also using Firefox 1.0, and I also can't reproduce the behavior that they say that I should see. Interesting.

Re:I don't get it (1)

trythil (444488) | more than 9 years ago | (#11038673)

Er, wait a minute, now I can. I forgot to click the "fradulent e-mail" button. Whoops.

Re:I don't get it (0, Offtopic)

trythil (444488) | more than 9 years ago | (#11038691)

Who the fuck modded this informative? Didn't you read my refutation of my own post?

Re:I don't get it (3, Informative)

linguae (763922) | more than 9 years ago | (#11038682)

The exploit worked for me on Firefox 1.0 on Windows 98 SE with pop-up blocking turned off, but the exploit didn't work for me when pop-up blocking was turned on.

Re:I don't get it (1)

FrankSchwab (675585) | more than 9 years ago | (#11038716)

Win98SE with Firefox 1.0 here. Exploit worked as advertised with PopUp blocking on.

Re:I don't get it (1)

SweenyTod (47651) | more than 9 years ago | (#11038718)

Yes, it didn't seem to work for me. In Firefox 1.0 (on Windows XP), I clicked on the link with for a popup blocker, and got a Firefox message at the top of the page saying it had prevented the site from openning 699 windows, and the valid citibank.com site in the background. I never saw a popup window from Secunia at all.

Works just fine (1)

Kristoffer Lunden (800757) | more than 9 years ago | (#11038737)

Firefox 1.0, Gentoo

You have to do as you are told and click on the Fradulent warning image too. Try it again, it does work.

Re:I don't get it (1)

iONiUM (530420) | more than 9 years ago | (#11038746)

I'm running Firefox 1.0, and I also could not reproduce it.

I think I've solved it. (4, Informative)

khasim (1285) | more than 9 years ago | (#11038757)

FF 1.0 on Win2K.

Middle-click to open citibank page in new tab YOU WILL NOT BE VULNERABLE.

Left click and allow citibank page to open in new window YOU WILL BE VULNERABLE.

At least, that's the behaviour I see on this box.

Nothing to see here... (1)

caino59 (313096) | more than 9 years ago | (#11038616)

Move along....

Looks like they hijacked my /.!

Oh noes.. (0, Troll)

corsair2112 (813278) | more than 9 years ago | (#11038619)

Fr1sty Pr0st

Great.... (0, Flamebait)

amemily (462019) | more than 9 years ago | (#11038621)

I'm sure the Moz team will have a fix out soon, but I seriously doubt Microsoft will have one out fast enough for us poor slobs that have networks full of stupid users who use IE (sorry, Moz won't cut it unless you can manage it with Group Policies...)

Re:Great.... (0)

Anonymous Coward | more than 9 years ago | (#11038675)

Now taking bets, who will have a fix out first.

1. Microsoft
2. Mozilla

Re:Great.... (1)

robpoe (578975) | more than 9 years ago | (#11038715)

I do agree, with the parent on the last thing he said.

Mozilla will NOT cut it until I can manage it by Group Policies.

Not all browsers (1)

Jah-Wren Ryel (80510) | more than 9 years ago | (#11038623)

A friend of mine tried it with a 1.0 preview build of firefox on his hpux workstation. It opened two windows instead of one -- one window was sized correctly and had the bank's designated content, the second window was the same size as a regular browser window and it had the phishing content in it. I think he said he reported their phishing failure to secunia, but I doubt they'd change their story, it would be a lot less sexy.

Anyone else have a build of firefox that wasn't really fooled?

Re:Not all browsers (0, Offtopic)

LnxAddct (679316) | more than 9 years ago | (#11038712)

This "vulnerability" is not able to be reproduced under firefox on Fedora Core 3. Looks to me like they just want some publicity.
Regards,
Steve

All your typos... (4, Funny)

Indy Media Watch (823624) | more than 9 years ago | (#11038625)

Jimmy writes "Secunia is reported about a new vulnerability"

And in other news, Slashdot is reported all about a new grammatical error in the headlines.

Reporting anyone?

Not quite hijacking (3, Interesting)

fembots (753724) | more than 9 years ago | (#11038627)

I opened Secunia [secunia.com] , Then open another browser window to Citibank [citibank.com] via Ctrl+N, and click on Citybank's Consumer Alert button, nothing happened.

But if I used the link from Secunia [secunia.com] to access Citybank, the Popup is then hijacked.

So it seems like you need to access (click on a link to) your trusted site via an untrusted site to get hijacked?

Here's how it works (5, Insightful)

sbszine (633428) | more than 9 years ago | (#11038752)

The links to Citibank from the Secunia site are actually handled by JavaScript. The script sets a timer, then opens citibank. Every second or so, Secunia's script then checks whether you've opened Citibank's pop-up. If you have, it opens a window with the same name (i.e. variable name) as Citibank's window, thus overwriting their content.

So the attacker doesn't need you to click on anything, they just need you to have their site open -- with the timer going -- in another window. Also, the attacker needs to know in advance what name the victim site's pop-up is referenced by. A dynamically generated name could possibly defeat this attack, though the attacker could always crawl the DOM for a handle to the pop-up.

It doesn't affect Safari (1)

lost_n_confused (655941) | more than 9 years ago | (#11038628)

I am using Safari 1.2.4 (v125.12) and I don't get the Secunia pop up.

Re:It doesn't affect Safari (0)

Anonymous Coward | more than 9 years ago | (#11038644)

Same, using Safari 1.2.4 (v125.12).

Re:It doesn't affect Safari (1)

eecue (605228) | more than 9 years ago | (#11038659)

didn't work for me either and i'm also running safari...

Re:It doesn't affect Safari (1)

Stefman (37546) | more than 9 years ago | (#11038678)

Yup, got the Citi pop up. Glad Safari's O.K.

Re:It doesn't affect Safari (1)

RyLaN (608672) | more than 9 years ago | (#11038686)

Doesn't work on Konqueror (3.3.2-1) on my Debian system, so anybody with a recently updated Sid box should be fine.

Re:It doesn't affect Safari (5, Informative)

narratorDan (137402) | more than 9 years ago | (#11038735)

Actually it does effect Safari, but you have to jump through hoops to get it to work.
After you have clicked on the link, you have to refresh the Secunia page, then it will work. It's kinda strange, but I guess it is a vulnerability. Kinda like walking back and forth through a bad neighborhood while counting your cash.

NarratorDan

Re:It doesn't affect Safari (0)

Anonymous Coward | more than 9 years ago | (#11038753)

Well, I managed to get a popup, but only with the "You have a popup blocker" test, and then only after I went back to the original secunia page and unchecked popupblocking in the menu :)

By that stage I had already closed the Citibank page, so it was unimpressive to say the least :)

(Nothing happened when I took off the popup blocking and tried the other link -refreshed the page as they instructed and everything)

Simple answer (0)

Anonymous Coward | more than 9 years ago | (#11038633)

The spoof stick extension for Firefox and Internet explorer

no problem here... (4, Informative)

jxyama (821091) | more than 9 years ago | (#11038635)

mac os x 10.3.6... running safari 1.2.4 (the latest build.)

Re:no problem here... (3, Interesting)

Otter (3800) | more than 9 years ago | (#11038762)

Same here -- the popup was hijacked in Mozilla 1.6 but my rather ancient Safari 1.0.3 put up the correct Citibank window.

We haven't heard from any Konqueror users yet (and the modem in my Linux box is broken so I can't check it myself). Is the immunity a khtml thing or was it Apple?

1.01 is on mozilla.org (0)

Anonymous Coward | more than 9 years ago | (#11038636)

or use auto-update feature

Happy. (1)

BrynM (217883) | more than 9 years ago | (#11038637)

I never thought I'd be happy to see a Citibank popup. I'm running Firefox (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) with the TabbedBrowsingExtension [sakura.ne.jp] set to use a single window.

Well, that's one alert I'm safe from. Whew.

Re:Happy. (0)

Anonymous Coward | more than 9 years ago | (#11038709)

Indeed. It worked with my firefox (same as your installation but with no extensions installed) in windowed browsing, but not if I open the link to the pop-up in a tab.

Something I'm not sure about, though. The exploit only worked the first time. The second time I tried the "fraudulent emails" link from the same CitiBank window that worked the first time, it connected correctly to the CitiBank pop-up.

How long... (0)

Anonymous Coward | more than 9 years ago | (#11038639)

before this is patched for the various browsers? Has there ever been a concurrent hit like this in the past? This may be a rare oppurtunity to 'benchmark' the various orginizations' responsiveness.

Another question...is this something that can even be patched browser-side? And if so, how could it be that *none* of them saw this coming?

Demo don't work (2, Funny)

bigberk (547360) | more than 9 years ago | (#11038641)

the demo come up blank. all i see is a window called (Untitled) (and the globe spins then dies)

It's called "Slashdotted" (2, Funny)

mark-t (151149) | more than 9 years ago | (#11038657)

You must be new here.

Safari test (4, Informative)

sg3000 (87992) | more than 9 years ago | (#11038643)

I tried the test in Safari 1.2.4 under Mac OS X 10.3.6. I had pop-ups blocked, the normal way I set my browser. Doing the test, I saw the Citibank site fine. When I clicked on the "Consumer Alert" button, it looked like the regular Citibank content. No problem there. I refreshed and clicked on the other "try this test" link, and there still was no problem.

When I turned off the pop-up blocking feature, then when I tried the test, I did see a pop-up from the Secunia site instead of the Citibank text. Now that's a problem.

Clearly, this is just another reason to block pop-up windows.

Firefox Notification (1)

pipingguy (566974) | more than 9 years ago | (#11038647)


Firefox prevented this site from opening 219 popup windows

Open Source (1, Informative)

halcyon1234 (834388) | more than 9 years ago | (#11038650)

Open Source means anyone can look at the code. Which means anyone can spot a vulnerability. Usually this means that the programmers catch the bugs first. This time-- ehh, not so much.

Of course, this also means that a huge amount of programmers can look at the code to find a bug to write a patch to release it to the public.

The bottom line: I switched everyone I know to Firefox nearly six months ago, and haven't had to do a single Malware clean yet.

Nothing (0)

Anonymous Coward | more than 9 years ago | (#11038652)

Absolutely nothing happened using Safri.

No problems with safari (1)

MoneyT (548795) | more than 9 years ago | (#11038656)

None here on version 1.2.4

Works for me (3, Informative)

HFShadow (530449) | more than 9 years ago | (#11038660)

I reproduced this successfully on Firefox 1.0 under Linux.

Re:Works for me (3, Funny)

Porn Whitelist (838671) | more than 9 years ago | (#11038700)

Not here - mind you, nothing's happening - it's slashdotted.

Security through server meltdown?

Slashdot fights back! (1)

Zorilla (791636) | more than 9 years ago | (#11038664)

You think there's any irony in a browser exploit page going down in a Slashdot attack?

not irider (2, Informative)

FrenZon (65408) | more than 9 years ago | (#11038666)

Well, it didn't affect irider [irider.com] , which is IE-based, presumably because it opens popups in its own (excellent) 'tree-tab' system.

Safari is safe (0)

Anonymous Coward | more than 9 years ago | (#11038668)

I just tried the demonstration in the latest version of Safari.

All browsers?!? (4, Funny)

localman (111171) | more than 9 years ago | (#11038670)

I just don't believe it. Anything -- even an exploit -- working in all browsers would be unprecedented!

Firefox 1.0 seems fine (0)

Anonymous Coward | more than 9 years ago | (#11038671)

An earlier post said they had firefox 1.0 and the "with popup blocker" link didn't work for them, but the "without popup blocker" linked opened but didn't hijack the site.

I tried the "with popup blocker" link, it opened a new window, but didn't hijack the window away from citibank.com

I guess I don't have to worry about it.

Nyeh (3, Informative)

c0dedude (587568) | more than 9 years ago | (#11038674)

It's a vulnerability, but it's the correct behaviour. Browsers should open the window in the target pop-up window, even if the page opening the page does not own that window, as I recall. As they say, that's no bug...

Well, well, well, ... (0)

Anonymous Coward | more than 9 years ago | (#11038681)

Jimmy is terrible at writing.

FireFox 1.0 is immune: (0)

Anonymous Coward | more than 9 years ago | (#11038683)

looks like by all browsers, they mean the browsers they actually bothered to test, of course they still wrote up a security vul. sheet for firefox... Idiots.

How long before... (1)

PainBreak (794152) | more than 9 years ago | (#11038685)

You open your online banking messages to find...

Good day,

I am Isaac Shongwe, Prescient Investment, South Africa. This is an
urgent and confidential business proposition...

Not so bad... (2)

Bagels (676159) | more than 9 years ago | (#11038687)

This only worked for me when I left-clicked, like they said. I'm so used to FireFox now that it was second nature for me to open the Citibank site in a new tab, and the exploit failed to work then.

Not on Camino for OS X. (1)

crispy1083 (636320) | more than 9 years ago | (#11038688)

Doesn't seem to work for me on a recent nightly build of Camino.

Using Opera 7.54 (2, Informative)

MrP- (45616) | more than 9 years ago | (#11038689)

Using Opera 7.54, the one for pop-up blockers enabled doesnt work.. as soon as i click the citibank link, the fake popup opens without me clicking anything, and when i do click the image they say to click, it changes the popup page to the actual citibank page you're supposed to see

the link for disabled popup blockers doesnt open a popup when i have my popup blocker enabled (actually its just Proxomitron with custom filters)

When I disable proxomitrion, it does what it says (opens the Secunia site instead of the citibank site)

And with proxomitron disabled, the first method (for people running popup blockers) still does the same as it did the first time.

Galeon vulnerable (1)

Markus Registrada (642224) | more than 9 years ago | (#11038690)

I had Javascript enabled, which is probably necessary. It compromised a pop-up-blocked Galeon 1.3.18 window just fine. You guys reporting invulnerability, do you have Javascript on?

either not working or slashdotted (1)

kayen_telva (676872) | more than 9 years ago | (#11038693)

and says I dont have a pop up blocker. uh. sure.
and you dont have 1337 hacking skilz either
arent these people trolling for business with these stories ?
trying to scare people and then sell them services
maybe when its independently verified I will worry

jack pot (4, Funny)

loid_void (740416) | more than 9 years ago | (#11038694)

i did it using safari, got citibank, i have no account but was able to transfer $100 million into an offshore account. That was some test

Doesn't work for me (OmniWeb 5.something beta) (1)

Dr. Awktagon (233360) | more than 9 years ago | (#11038695)

I must be doing something wrong? I'm using OmniWeb and also proxied through Privoxy (pop-up blocking implemented in both).

I clicked the link for folks WITH a pop-up blocker, and the citibank page opened in a new window, and a javascript alert appeared that reads "You do not
have a pop-up blocker enabled" .. uh, I have TWO actually. But never mind that. Dismiss the alert, and I then click on the "Consumer Alert" graphic and
absolutely nothing happens.

Okay actually, OmniWeb showed a blocked pop-up in the *Secunia* window, behind the citibank window. Odd. Let's see what that window is.

Okay, it's the citibank pop-up aobut "spoofs". No message from Secunia. So I guess I'm not vulnerable this way.

Now I close the citibank window and reload the secunia window to try the "WITHOUT pop-up blocker" link. Again, the citibank page opens in another
window. I click on the "Consumer Alert" graphic.

This time, the content of the Secunia window is *replaced* with the citibank pop-up (back button disabled, because it replaced the contents, and I opened
the original secunia link in a new window so it doesn't have slashdot in the history either). And no pop-op indicator, no message from Secunia.

So does that mean I'm not vulnerable? Is it OmniWeb or is it privoxy that's "protecting" me?

Note: It also doesn't work in Lynx, my other favorite browser. :^)

OS X seems to be immune (1)

caveat (26803) | more than 9 years ago | (#11038697)

Camino 0.8.1 (Build 2004082512) on X 10.3.6 (without the latest security patch) displays the Citibank page. Safari 1.2.4 (v125.11) is just giving me a blank page (although that could be the ./ Effect; the site got noticeably slower in the time it took me to launch Safari and try it out). Ooo-rah OS X!

Yay. (0)

Anonymous Coward | more than 9 years ago | (#11038701)

The only thing that happened when I did their test for pop-up blockers with Firefox is FF kept telling me it was blocking a huge amounf of pop-ups.

Re:Yay. (0)

Anonymous Coward | more than 9 years ago | (#11038726)

Darn, though they are right, it said Secunia did it, not Citibank.

For Apple users... (0, Redundant)

nolram (135173) | more than 9 years ago | (#11038702)

Safari 1.2.4 seemed to past there test. No vulnerability there.

not really vulverability (0)

Heem (448667) | more than 9 years ago | (#11038719)

I really don't consider this a vulnerability as much as a form of social engineering / taking advantage of the stupid. Similar to phishing - you don't see someone saying that phishing scams are a mail client vulnerability.

Worked on my system as well... (1)

martin_b1sh0p (673005) | more than 9 years ago | (#11038724)

Firefox 1.0 on Red Hat FC3. I followed the instructions and clicked on "Test With Pop up Blocker" and I received the phishing pop up. Very interesting.

Konqueror not apparently affected... (1)

LordDracula (153751) | more than 9 years ago | (#11038725)

Just tried it with Konqueror 3.1.3 (on Linux, duh), and didn't get the "exploit" behavior--just got a new window with the CitiBank stuff. Tried both "with pop-up blocker" and "without pop-up blocker" methods, and was not able to reproduce the behavior.

interesting (1)

Smallest (26153) | more than 9 years ago | (#11038728)

but they really need to work on their instructions. it's not really clear that step two has to happen before you can click the image shown in step one... the instructions for step one make it sound like the window will open automatically.

They better be right! (1)

CptSkydrop (577286) | more than 9 years ago | (#11038729)

Please note. If you wish to run the test multiple times, then please refresh this page before each test.

"It's not working, maybe I'll refresh" *refresh* "nope, still nothing" *refresh*.

Multiply that by Slashdot...

Safari (1)

TheWordOfB (696275) | more than 9 years ago | (#11038732)

I don't get it.. I can't get it to work in Safari 1.2.4. Is my browser broken, and by broken I mean fixed.

Read BEFORE you submit, sheesh. (1)

SoupaFly (558227) | more than 9 years ago | (#11038734)

"Secunia Research has reported a vulnerability, which affects most browsers."

The first damn line of the vulnerability test page says MOST, not ALL browsers.

Re:Read BEFORE you submit, sheesh. (0)

v3rgEz (125380) | more than 9 years ago | (#11038760)

Listen man, the lines are drawn. Firefox vs. Explorer. Everyone else is just camera fodder ...

Simple solution: Block Pop-ups (1)

Che Guevarra (85906) | more than 9 years ago | (#11038738)

Who doesn't block pop-ups?
I'll call my mom and dad right now. Does it affect AOL version 3.0?

Best Quote, "Do not browse untrusted sites while browsing trusted sites."

Interesting tidbit... (0)

Anonymous Coward | more than 9 years ago | (#11038741)

I tried out the test, but when I normally browse I open up new sites in Tabs, when doing this the test failed.

I went back to try the test out again, but this time opened up citibank website in a new window, and it was hijacked.

I would call that an interesting tidbit with FireFox.

Yay! (1)

dswensen (252552) | more than 9 years ago | (#11038742)

Finally, something to wipe that smug grin off all those Lynx users' faces...!

...aw.

De ja vu (1)

pawnIII (821440) | more than 9 years ago | (#11038755)

I remember not to long ago this same exploit. Same thing, affected all browsers. Was fixed by Firefox not too long after.

Guess the exploit has been updated, or the exploit was accidently created again by the Mozilla team.

Very weird... (1)

mark-t (151149) | more than 9 years ago | (#11038756)

Clicking on the first link opened up a new window (no problem, I allow new windows to be created if they are the target of something that was actually clicked), and the new window just sent me to citibank, like the status bar at secunia said it would...

Clicking on the second link opened up a new window and sent me to citibank, and the window that formerly contained the vulnerability test links now contained a "results" page that, at least as much as I understood, was supposed to be opened up in a new popup window. But the only popup window I got was the one to the bank, as per expected.

Doesn't always work (1)

yabos (719499) | more than 9 years ago | (#11038759)

First time I tried it it timed out, second time, it showed the Citibank page. A few other times, showed the Citibank page. One time it did actually show Secunia's crap. Subsiquent tries, show Citibank's site.

Firefox 1.0 Windows XP.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?