On June 6th, numerous security firms issued warnings about a vulnerability present in various web browsers that could be exploited to steal information.
According to this warning, a wide range of web browsers such as Internet Explorer, Firefox, Mozilla, and SeaMonkey operating on Windows, Linux, and Mac platforms are affected by a JavaScript keylogging vulnerability. A determined attacker could exploit this vulnerability to steal personal information from users, including credit card details and online banking information.
Specifically, security firm Symantec warned that all versions of Internet Explorer and Firefox are affected by this security flaw.
“The issue here is that a determined attacker could exploit the onKeyDown event of the JavaScript client-side programming language to record all keyboard activity of the user,” Symantec warned.
As a result, attackers could use this vulnerability to filter keyboard activities when users fill out a web form and input into an “invisible” file upload dialog on the same webpage. This information would then be sent back to the attacker.
“To successfully exploit this security vulnerability, the attacker must force the user to manually enter the complete file path of the file they want to download or perform specific keyboard actions from the victim. Therefore, this vulnerability could become an effective attack tool for web gamers, bloggers, or similar websites that require user input from the keyboard,” Symantec stated.
Meanwhile, security firm Secunia rated this vulnerability as “less severe” – the second lowest level on a five-tier scale measuring the danger of security flaws.
This is an unusual security vulnerability because it does not only affect Internet Explorer – even fully patched IE 6.0, and even IE 7.0 – but also Firefox and some other browsers like SeaMonkey. It is also the first security flaw to impact versions of browsers across a range of different platforms, including Windows, Linux, and Mac.
Charles McAuley, who first discovered this security vulnerability and reported it through the Full Disclosure security mailing list on June 5th, published an exploit code that demonstrates the full capability of exploiting this security flaw.
Symantec advises users to disable the JavaScript feature of their browsers.
Hoàng Dũng
