Peaches Posted January 15, 2009 Report Share Posted January 15, 2009 14 January 2009, 13:26Banking details can be stolen through a new JavaScript exploit Phishers are reported to be able to exploit a vulnerability in the JavaScript engines of current browsers, including Internet Explorer, Firefox, Safari and Chrome. Trusteer is a security services provider specialising in online banking, whose chief technician is the well known security specialist Amit Klein. Trusteer report that a crafted web site can exploit a certain JavaScript function to identify the bank page a user is currently logged into. If a user is connected to his bank's online banking service in one window, and leaves it open while visiting other sites, a crafted site can identify his bank, then activate a pop-up window imitating the bank's logo and appearance and ask for the login to be repeated. An inattentive user who re-inputs the data falls right into the phisher's trap. Trusteer's report doesn't name the JavaScript function concerned, but says it doesn't surrender the information about open sites, instead it goes through a list of bank sites, asking each time whether the user is logged in to that particular bank, the response being a straight "yes" or "no". In order to make a phishing attack, a crafted web site merely needs to hold a long list of known banks and financial institutions. Heise security: http://www.heise-online.co.uk/security/Ban...t--/news/112417 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.