RSS Alerts

Share

More services

Related Links

  • Checkmarx
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • France joins Germany in public slamming of Internet Explorer
    Following on from Germany's internet security agency publicly slamming Internet Explorer over the weekend and advising internet users to switch to another browser, France's CERTA agency has made a similar pronouncement.
  • Corsaire highlights potentially serious flaw in web browsers
    Corsaire, the international security consultancy, claims to have identified a potentially serious flaw with most popular web browsers.
  • Mozilla moves swiftly to patch SSL loophole in Firefox
    Programmers with the Mozilla Foundation have moved rapidly to patch one of the two SSL security flaws in web browsers, such as Firefox, identified by researchers at the Black Hat security briefings in Las Vegas late last week.
  • Apple releases Safari 4.0 to counter security flaws
    Apple Computer has released v 4.0 of its increasingly popular Safari web browser for Windows and Mac OSX-based computers. The release counters the recent security flaws reported in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and webKit
  • Security flaw exposed in Google Chrome
    Fresh after Google’s tenth birthday, the entrepreneurial company is facing reports that its new browser, Chrome, contains a security flaw, just a day after its release in beta.

Top 5 Stories

News

Checkmarx identifies new web browser vulnerability

27 January 2010

Israel's Checkmarx, a company that specialises in program code analysis, claims to have identified a relatively new type of web browser vulnerability called cross-site history manipulation.

The Tel Aviv-headquartered firm says that the problem – which affects most mainstream web browsers – allows a remote hacker to compromise web applications. Classing the vulnerability as a type of zero-day attack, Checkmarx says that the exploit works by taking advantage of an individual's browsing history seen in Mozilla Firefox, Google Chrome and Internet Explorer.

By manipulating the browser history, the firm claims it is possible to compromise a web browser's same origin policy (SOP) and so violate user privacy.

As a result, the firm adds, a hacker can gain full credentials when accessing any applications the users may have recently used, such as online banking or e-commerce.

Maty Siman, Checkmarx'  founder and chief technology officer, said that it helps to imagine if someone could access your entire web browsing history – including your passwords – and then their going directly to your recently accessed banking web page or online shopping site.

"This new exploit highlights that despite the large prevention efforts by platform providers, the browser still remains one of the key vehicles of choice to execute cybercrime", he said.

According to Siman, the exploit can be prevented by fixing the browser or web applications by developers.

To help major web browser users, as well as application developers, stop the proliferation of the exploit, Checkmarx has notified the main web browser companies and published a guide to identifying and remediating the vulnerability on its website.

Alex Roichman, Checkmarx' head of research, said that, whilst web browsers must do everything they can to fix the problem, application developers don't need to wait for browsers to build a patch or users to download an updated version.

"To pro-actively prevent this problem, application developers should build a random token to block hackers from accessing the browser history for malicious purposes", he said.

This article is featured in:
Data Loss  • Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012