Browser vulnerabilities are nothing new, and they are constantly popping up no matter what software you’re using. Today, however, there’s an especially eerie one that Ghacks found which currently affects almost all versions of Internet Explorer 6, 7, and 8. It’s capable of recording all of your keystrokes even after you’ve left the site that you were visiting.
Update (6/27/2008 @ 1:34PM CST): As some commenters have pointed out this vulnerability does affect Firefox 3 users as well.
How does it work? First the user must click on a malicious link that uses JavaScript to open a URL in a new window/tab. The site that you were expecting to open will be displayed without any issues, and you’ll likely assume that you’ve completely left the referring site. Once the JavaScript code finishes executing it will hijack the first iframe that it finds on the website, and it will begin capturing any of your keystrokes.
Want some proof? This site has an example link to demonstrate how it works. To show just how versatile this is I modified a small portion of the code so that it opens our homepage, and takes over the first iframe that appears at the very top. Here’s what the code looks like, and click on it to see what I’m talking about:
If you are using a susceptible browser you should have noticed that the iframe at the top of the page turned solid red, and anytime you pressed a key on the keyboard it displayed in the box:
I didn’t modify our site’s code in any way to get this to work, and any site you visit that uses iframes are susceptible to being a host for the vulnerability. That means it could easily steal login credentials or credit card information assuming an iframe is available on the page. Scary, huh?
As of right now a proof-of-concept is only available for Internet Explorer, but with a little more work it’s possible that it could also affect other browsers. I have verified that the current method works in Internet Explorer 6, and it doesn’t work in Firefox 3, Opera 9.5, and Safari 3. Here’s more information on how the vulnerability operates.
I don’t agree that it doesn’t work in Firefox 3.0 (i have a polish ver.)
[i25.tinypic.com]
Firefox 3 *is* vulnerable! Proof:
[img520.imageshack.us]
Another reason to use NoScript.
Thanks for the info guys! For some reason it wasn’t working in Firefox 3 for me. I updated the post accordingly though.
If you’re running Adblock Plus in FF3, disable it. You’ll see the box/letters then.
This is what you can expect when you don’t use Opera.
I’ve just tested this using 4 browsers available on Mac OS X 10.4.11 PowerPC:
Safari 3.1.1 – Vulnerable to demonstration exploit.
Firefox 3.0 – Vulnerable
Opera 9.5 – Vulnerable
Camino 1.6.1 – Vulnerable – Can be also stopped by selecting “Block Web Advertising” in Web Features Preferences.
All browsers had javascript enabled for this test.
At least for this demo, it appears that keystrokes are only captured if the tab with the demo exploit is active, not if I’m typing while another window or tab is active. I assume that the demo is crafted only to show that text entered in another iframe can be captured.
Why bother? If a site you just discovered and trust due to its professional look, you’re gonna enable JS anyway. This form of false safety is not worth having me enable JS on every new website I visit.
Wait, what? This only works because you embedded some hostile javascript into *your own* domain. You either have to find an existing xss vulnerability, or convince someone to add a link like that onto their site.
Arbitrary untrusted website X, cant do this to trusted website Y, thanks to the same origin policy.
This is not a big deal.
Face it: people come across new sites every day. In this day and age of AJAX-powered sites, you’re very likely to switch on JavaScript on these sites. Of course you’re not gonna trust sites like “download-free-software.biz”, but that’s just common sense. You don’t need a JS blocker to stay away from these sites…
Disable Javascript entirely. Eschew sites the require Javascript. Give up on AJAX.
Sure, large portions of the web become less shiny, but really… how can folks look at this sort of thing and continue to think that Javascript is a good idea? Just because it’s shiny and clever doesn’t mean it makes sense to allow it.
Noscript is a good first step, but it’s not enough. Websites should *always* work w/o Javascript, and if you want the additional functionality, install a plugin just for that website. Our infrastructure won’t support that just now, so we ought to just give up on Javascript until someone *designs* something that’s a teensy bit paranoid.
The last thing visitors want to do is install a plugin for a website they don’t know what to expect of. Installing plugins is a lot riskier than having JS enabled!
Are you saying you prefer the interfaces such as the old MSN Hotmail (which reloads the entire friggin’ page every time you press a button) over Gmail’s way of taking care of things? As we speak, I have used the JS-enabled ‘Edit’ button over five times to edit this message so that I don’t have to wait for the page to load over and over. We’d be lost without JavaScript.
Pieter wrote:
We’d be lost without JavaScript.
Speak for yourself. I use NoScript to allow JS for only a few sites. Yes, I can still run into problems, but the opportunities for me to encounter a JS vulnerability is greatly reduced.
Ryan,
Did you read the comments on [reddit.com] ?
The iFrame that is being “hijacked” by the script on our site is for an advertisement, which would be why you wouldn’t see the box. Thanks for pointing that out.
I did glance over them, but didn’t see anything in particular that stood out.
[reddit.com] comment says that it doesn’t work in other browser. Isn’t he correct(and the update in this post wrong) ?
It does work in Firefox though as some users pointed out by posting their screenshots.
I was thinking the same thing – long live Opera!
Seriously? You guys need to get extension support.
Which one do you want ? ‘Vietnamese Language Pack, v2.0′? ‘Critical Vulnerability, v1.0′?
Well then, why not shut down the entire internet because some sites try to infect you with malware?
FYI, Firefox protects its users from these bad extensions and doesn’t let them install these.
but i tried this in IE7, we just cant get rid of the new page..cant switch to other page..
This vulnerability has yet to be patched!
Mozilla, do something about it!