By Dan Goodin Ars Technica Dec 2 2012
Be careful what you type on your computer while surfing the Web. It very well could be funneled to a script kiddie who has appropriated a handful of lines of code and inserted it into his site.
Proofs of concept here and here show how this method could be used to trick people into divulging their password or credit card number respectively. The pages pose as lists that catalog leaked user data and invite visitors to search it to see if their information is included.
To be sure, the demos are crude. The search bars that are opened are only a rough approximation of the search bars found in Google’s Chrome browser. And of course, they look nothing like the search interfaces found in Internet Explorer, Firefox, or other browsers. But as security expert Bruce Schneier once noted, exploits only get better. There’s nothing stopping a determined attacker from improving the hacks so they present an authentic-looking box that’s customized for whatever browser and operating system an end user happens to be using. Other browser functions, such as the ctrl+s or ⌘+s save commands, could also be intercepted and replaced with a fake dialog box that instructs users to enter their administrator password.
______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org