Fake or BAD news for "Tabbed-Browsers"? (Firefox, too)

Hi,

just found THIS while surfing around and reading some news…

i tried it and what shall i say? it is exaclty as said on the site, but one thing is strange on this “test”!

They say you should open the link on the page in a new tab, then wait for the site to load and then a messagebox appears… you have to enter a text there, and after pressing OK you can tab back to the first tab and see what you entered “on the citibank.com” site…

and here is what makes me feeling strange about this: the “Insert Text here…” window also openes, if you just “Mouse-Over” the link of citibank.com -so i think this message box has got nothing to do with citibank…

and this would just make this “test” void, because it is no difficulty to get an enterd string from a java-script into you hp, so i would NOT call this a security-bug…

what do you think???

Raz

Hey,
well yeah i got the same… maybe just clever bit of coding?

VH
:confused:

That is the whole point. You trick users into entering for example their credit card number in the box wich pops up when viewing the citibank page and then the number is sent to the other page. This can probably be done with frames just as easily: make one big frame that loads bankpage and also run scriptprompt onLoad.

Not a security bug imho just a little confusing that’s all

And I don’t think that the mouse over behavior is intended, doesn’t happen when I mouse over…
Wich browser are you using?

And I don’t think that the mouse over behavior is intended, doesn’t happen when I mouse over…
Wich browser are you using?

firefox 1.0PR (0.10.1)

Not a security bug imho just a little confusing that’s all

yes, right… it’s just that some users might think that the popup is by the page they view at the moment…
but - hey, i’ve never entered something if a popup want to force me to… :wink:

i just read that the mozilla / firefox - team is trying to fix it atm, as i read they want to make sure that pages in the background (-tabs) cannot open such popup windows over other tabs - so that any “enter your credit card number…”-window :wink: will only be displayed if you change to the “mother”-page-tab with a hint that the popup belongs to it…

this was on slashdots mainpage…yesterday?

This so-called bug is very very old. I read about it a few weeks ago. AFAIK, about every tabbed browser has this issue.

right…!

so, if something is written somewhere it doesn’t have to be written here to make it more public? then we would not need this forum(s), because the knowledge written down in here has often be written down in other places…

if we didnt think it should be here, we would remove it.