by Don Park
at 2004/02/11 05:21:45
While Microsoft recently patched a URL-based spoofing vulnerability, a whole new class of spoofing exists for browsers: Visual Spoofing. I have not yet seen any evidence of this type of spoofing actually being done, but I was able to create a demo in less than an hour.
Here is the demo of visual spoofing for IE6 I put together. Note that the vulnerability is not unique to IE.
The problem with visual spoofing is that it is difficult to fix with a simple patch. Yes there are ways to fix the problem partially, but I don't see a way to remove the problem completely because hackers can still create a page with images of overlapping windows to distract the clueless user who tend to keep many windows open.
Update:
While thinking about tigers this afternoon, I stumbled onto an idea that could minimize the vulnerability, including the 'deeper problem', down to an acceptable level. Why was I thinking of tigers? I have no idea. Anyhow, I'll post about it in the next day or two (look for a post titled 'Secure UI') after I explain the 'deeper problem'.
Boy, I feel better already.
See Also: Visual Illusions, Secure UI: Phishmarking
Comments
What hap to eye of beholder pos?
Picture?
What say?
Picture?
What say?
I deleted it because I didn't like the post. It's the second I deleted today. Oh, well. There will be enough firestorm over this one.
Actually, I'm writing a post on it now, and will still continue, but will make a note that you pulled your writing.
Shelly famous in Viet Nam as running dog imperialist paper tiger.
This is perhaps the most frighening thing that I've seen yet.
As I've commented before, I run my own personally implemented popup/spam blockers, nearly complete lockdown, etc. [re: circle of shame comments a few weeks backs]. For a few months I've had a popup free world.
But one of the things I truely hate is when my status bar disappears. And just in the past week or so I've managed to run into a number of cites that somehow are getting windows to popup even though my blocker is running. Not had the time to debug that.
But this takes the cake. I know what you did ... and I can't imagine the potential for phishing with this approach (or for how long its already been going on). Particularly cute is the "lock" bitmap ;-()
As I've commented before, I run my own personally implemented popup/spam blockers, nearly complete lockdown, etc. [re: circle of shame comments a few weeks backs]. For a few months I've had a popup free world.
But one of the things I truely hate is when my status bar disappears. And just in the past week or so I've managed to run into a number of cites that somehow are getting windows to popup even though my blocker is running. Not had the time to debug that.
But this takes the cake. I know what you did ... and I can't imagine the potential for phishing with this approach (or for how long its already been going on). Particularly cute is the "lock" bitmap ;-()
Don, are you recording the stuff we are entering in those boxes? :)
Clever and scary! Even using Mozilla, I didn't immediately react to the IE style browser elements suddenly appearing.
Among other things, I think this is a good proof of how much semantic information there is in *presentation*, and how much meaning there is in common page (information) architectures even when the visual surface layers change.
I responded to things like a status bar and back button being in certain places on the page, but, seeing them in the right places, I didn't immediately notice that they had totally changed in visual appearance.
Among other things, I think this is a good proof of how much semantic information there is in *presentation*, and how much meaning there is in common page (information) architectures even when the visual surface layers change.
I responded to things like a status bar and back button being in certain places on the page, but, seeing them in the right places, I didn't immediately notice that they had totally changed in visual appearance.
Brilliant.
Well, I use Opera, and if a window pops up, it will still be *inside* the main Opera frame. And besides, I've got a cool skin on mine, and if my buttons suddenly change style, it usually mean ads for something and I turn the other way.
This vulnerability is actually deeper than what the demo shows. This demo only demonstrates the spoofing allowed by a popular DHTML feature. It is amazing though that no one seemed have seen the harmful use of the feature despite it being right in from of everyone.
Thankfully, this particular vulnerability can be minimized by disallowing menubar, toolbars, statusbars from being hidden although the change will break whole lot of webpages out there. The deeper stuff can't be fixed. I'll discuss it in a future post.
Thankfully, this particular vulnerability can be minimized by disallowing menubar, toolbars, statusbars from being hidden although the change will break whole lot of webpages out there. The deeper stuff can't be fixed. I'll discuss it in a future post.
Alexander, not everyone is observant and not all the visual tricks are easily detected. For example, if I popup a window that looks exactly like the previous window, all you would see is a flicker and a new window button on the taskbar which is not very noticeable.
Don; yes, given people have no control over their JavaScript. And, admittedly for now, most people don't. Heck, most people don't even care. Switch now, before it is too late! :)
Wait til I show you why it is more than a browser problem by showing how similar visual tricks can be used for phishing intranet passwords.
I'd be wary of declaring now that this isn't something that someone intent on fraud/phishing couldn't dynamically generate base in the http headers ... if Opera has that +20% market share that some are predicting by the end of the year, somebody will figure out a way to do something very very similar.
I think the key point her is what Jay stated about the semantic content in the presentation.
I say ban all popups!
Don ... how do you disable menubar/statusbar from being hidden?
I think the key point her is what Jay stated about the semantic content in the presentation.
I say ban all popups!
Don ... how do you disable menubar/statusbar from being hidden?
Phil,
Changes have to be made in the browser engine by ignoring "menubar=no", "toolbar=no", and "status=no".
Changes have to be made in the browser engine by ignoring "menubar=no", "toolbar=no", and "status=no".
I'm a bit thick on this browser engine stuff ... is this something I can configure as a end-user of IE?
Oops. Sorry. No, its something browser vendors such as Microsoft and Mozilla have to do with patches. The fix I am going to talk about in 'Secure UI' will require an OS update.
Now I'm on the same page. Thanks for the clarification. Look forward to the posting.
I'm using Mac OS X, and Mozilla, and the Orbit theme, and other extensions... Please create a demo that will somehow trick me.
It's a nice demo though, I suppose it could work in some circumstances...
(As usual, I recommend against using Windows... ;)
It's a nice demo though, I suppose it could work in some circumstances...
(As usual, I recommend against using Windows... ;)
Pete, indeed -- this trick fails on the Mac because of the single menubar design.
I've worried about the same thing, even on Mac OS X, for some time. How do you secure the UI? What happens if someone wants to make a malicious application that pops up the ever-present admin authentication dialog? How do you tell the difference? There's nothing there that can't be faked.
Yes, first you'd need to get your malicious application on the computer, but so much trouble continues to come from social engineering that I suspect we'll see this sort of thing happen sooner, rather than later.
Yes, first you'd need to get your malicious application on the computer, but so much trouble continues to come from social engineering that I suspect we'll see this sort of thing happen sooner, rather than later.
Hmmm, thinking more about this, I'm wondering if an XUL-based app written for Mozilla could do this sort of visual spoofing... I'm going to doubt it, but I'll keep it in my mind as a possibility.
Doesn't work for me. I've all external javascript code blocked by default.
thats another reason why customizing windows is good. They can never fool you with picture-based spoofing since the toolbars and window borders are different.
Possible solution:
Have the website proove its identity to you. For example, if you are logged in or have some kind of persistent cookie, you could personalize the page with a logo, a theme or anything else. If this "sign" is missing, it may be a spoof.
Have the website proove its identity to you. For example, if you are logged in or have some kind of persistent cookie, you could personalize the page with a logo, a theme or anything else. If this "sign" is missing, it may be a spoof.
Good demo! Although it wasn't specifically designed to avoid this issue, Mozilla Firefox allows users to control whether JavaScript can turn off resizing, status bars, address bars, etc. Since I've overridden the default settings in Firefox, I saw the normal Firefox address bar in addition to the spoofed toolbar.
Just as bad is the IE6 "chromeless windows" security exploit that persists even today. More information:
http://bmonday.com/articles/496.aspx
Just as bad is the IE6 "chromeless windows" security exploit that persists even today. More information:
http://bmonday.com/articles/496.aspx
Well someone has done it, see:
http://www.antiphishing.org/phishing_archive/Citibank_3-31-04.htm
http://www.antiphishing.org/phishing_archive/Citibank_3-31-04.htm
Comment has been disabled for this post.
Copyright © 2006 Don Park
