Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firefox focus stealing vulnerability (possibly other browsers)

from [Michal Zalewski] Network Security [Permanent Link]
Subject: Re: Firefox focus stealing vulnerability (possibly other browsers)
Date: Tue, 13 Feb 2007 19:52:23 +0100 (CET) 
On Tue, 13 Feb 2007, Andreas Beck wrote:


Let scripts and form parser handle upload fields just as usual form
fields. Prefilling them with VALUE, changing them from script, etc. pp.

BUT: Warn the user about uploading files.


The problem here is that a majority of users find browser warnings
impossible to understand, far too frequent, perceive them as roadblocks
(see dancing hamsters, or "reject an invalid certificate"?), and above
all, are not sure who is to be trusted (the author of the webpage, who
tells us to click "yes", or the author of a browser, who is a whiny
geek?).

Otherwise, we wouldn't have *millions* of users running attached EXE files
or clicking to install ActiveX controls despite big, honking, sometimes
repeated warnings that say "YOUR COMPUTER WILL BE OWNED" and default to
"cancel".

Adding warnings that pop up during normal activity (such as uploading your
new baby photos) further blurs the line and conditions users into clicking
"yes" on all such notices.

So, although it's a good solution from a technical standpoint, I do not
think it's optimal as far as users are concerned - whenever we can avoid
giving a non-expert user a choice without impacting functionality, we
should go for it.

In this particular case, preventing scripts from reading .value of such
input fields, moving focus to or away from these fields, and in any way
influencing the delivery of keystroke events while this field is in focus,
seems to be a good solution that wouldn't significantly interfere with
legitimate web functionality.

/mz
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] iDefense Security Advisory 02.13.07: Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability, iDefense Labs NO-REPLY
Next by Date:  Fullaspsite Shop (tr) Xss & SqL &#304;nj. VulnZ., ShaFuq31
Previous by Thread:  Re: Firefox focus stealing vulnerability (possibly other browsers), Andreas Beck
Next by Thread:  Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers), Michal Zalewski
Indexes:  [Date] [Thread] [Top] [All Lists]