Checkmarx identifies new web browser vulnerability

The Tel Aviv-headquartered firm says that the problem – which affects most mainstream web browsers – allows a remote hacker to compromise web applications. Classing the vulnerability as a type of zero-day attack, Checkmarx says that the exploit works by taking advantage of an individual's browsing history seen in Mozilla Firefox, Google Chrome and Internet Explorer.

By manipulating the browser history, the firm claims it is possible to compromise a web browser's same origin policy (SOP) and so violate user privacy.

As a result, the firm adds, a hacker can gain full credentials when accessing any applications the users may have recently used, such as online banking or e-commerce.

Maty Siman, Checkmarx'  founder and chief technology officer, said that it helps to imagine if someone could access your entire web browsing history – including your passwords – and then their going directly to your recently accessed banking web page or online shopping site.

"This new exploit highlights that despite the large prevention efforts by platform providers, the browser still remains one of the key vehicles of choice to execute cybercrime", he said.

According to Siman, the exploit can be prevented by fixing the browser or web applications by developers.

To help major web browser users, as well as application developers, stop the proliferation of the exploit, Checkmarx has notified the main web browser companies and published a guide to identifying and remediating the vulnerability on its website.

Alex Roichman, Checkmarx' head of research, said that, whilst web browsers must do everything they can to fix the problem, application developers don't need to wait for browsers to build a patch or users to download an updated version.

"To pro-actively prevent this problem, application developers should build a random token to block hackers from accessing the browser history for malicious purposes", he said.

What’s hot on Infosecurity Magazine?