Share

Related Links

  • Checkmarx
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Checkmarx identifies new web browser vulnerability

27 January 2010

Israel's Checkmarx, a company that specialises in program code analysis, claims to have identified a relatively new type of web browser vulnerability called cross-site history manipulation.

The Tel Aviv-headquartered firm says that the problem – which affects most mainstream web browsers – allows a remote hacker to compromise web applications. Classing the vulnerability as a type of zero-day attack, Checkmarx says that the exploit works by taking advantage of an individual's browsing history seen in Mozilla Firefox, Google Chrome and Internet Explorer.

By manipulating the browser history, the firm claims it is possible to compromise a web browser's same origin policy (SOP) and so violate user privacy.

As a result, the firm adds, a hacker can gain full credentials when accessing any applications the users may have recently used, such as online banking or e-commerce.

Maty Siman, Checkmarx'  founder and chief technology officer, said that it helps to imagine if someone could access your entire web browsing history – including your passwords – and then their going directly to your recently accessed banking web page or online shopping site.

"This new exploit highlights that despite the large prevention efforts by platform providers, the browser still remains one of the key vehicles of choice to execute cybercrime", he said.

According to Siman, the exploit can be prevented by fixing the browser or web applications by developers.

To help major web browser users, as well as application developers, stop the proliferation of the exploit, Checkmarx has notified the main web browser companies and published a guide to identifying and remediating the vulnerability on its website.

Alex Roichman, Checkmarx' head of research, said that, whilst web browsers must do everything they can to fix the problem, application developers don't need to wait for browsers to build a patch or users to download an updated version.

"To pro-actively prevent this problem, application developers should build a random token to block hackers from accessing the browser history for malicious purposes", he said.

This article is featured in:
Data Loss  •  Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×