Spoofing flaw hits major browsers

Security company Secunia has warned of a flaw in a number of browsers that could expose users to phishing attacks.

The company claims that most major browsers, including Internet Explorer, Firefox and Safari, suffer from a so-called Dialog Origin Spoofing Vulnerability.

Opera 8.01 is one of the few browsers not affected by the flaw.

A hacker could use a JavaScript dialog box to request a web visitor to enter confidential information. The flaw centres around the fact that users have no way of verifying the origin of the dialog box.

"The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open, for example a prompt dialog box, which appears to be from a trusted site," Secunia wrote in a security advisory on its website.

Hackers could exploit the flaw by offering a link to a trusted website that simultaneously provides a malicious pop up that asks for confidential information.

Microsoft has acknowledged the threat, but said that it will not release a patch because it uses a " current standard web browser functionality".

Instead the software vendor urged users to use common sense before entering confidential information through a web browser.

"If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," said Microsoft.