In association with heise online

14 January 2009, 12:26

Banking details can be stolen through a new JavaScript exploit

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Phishers are reported to be able to exploit a vulnerability in the JavaScript engines of current browsers, including Internet Explorer, Firefox, Safari and Chrome. Trusteer is a security services provider specialising in online banking, whose chief technician is the well known security specialist Amit Klein. Trusteer report that a crafted web site can exploit a certain JavaScript function to identify the bank page a user is currently logged into.

If a user is connected to his bank's online banking service in one window, and leaves it open while visiting other sites, a crafted site can identify his bank, then activate a pop-up window imitating the bank's logo and appearance and ask for the login to be repeated. An inattentive user who re-inputs the data falls right into the phisher's trap.

Trusteer's reportPDF doesn't name the JavaScript function concerned, but says it doesn't surrender the information about open sites, instead it goes through a list of bank sites, asking each time whether the user is logged in to that particular bank, the response being a straight "yes" or "no". In order to make a phishing attack, a crafted web site merely needs to hold a long list of known banks and financial institutions.

One way to guard against what Trusteer calls "in-session" attacks is to have only the online banking site open in the browser and then to log off and close that window, before surfing elsewhere. Trusteer doesn't say whether it has reported the problem to the browser makers.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit