July 13, 2004

A new security flaw allows crooks to place false, or "spoofed," information into Web pages displayed by virtually any browser, not just Microsoft's Internet Explorer.

This represents a large -- and frightening -- step beyond the ability to place a counterfeit url in the browser's address bar. That scheme involved loading a completely false page while the navigation bar displayed a legitimate url.

The new technique is more insidious, in that it can seamlessly insert false information into the browser display of legitimate pages.

The announcement that the new exploitation approach crossed browser lines came just as the Department of Homeland Security, among others, recommended that users shift to non-Microsoft browsers, such as Mozilla or Opera.

The timing of the recommendation turned out to be ironic, of course, but irony is cold comfort in an environment in which we're almost daily being forced to distrust the content that appears in our browsers and mail programs.

So far this year we've seen a stunning increase in the number of spoof-based e-mail phishing scams that guide users to false, but official-looking, sites. Phishing, awful as it is, at least requires that the victim do something, however foolish, such as responding with credit-card information to an e-mail.

That's precisely the sort of bait-and-switch con than can at least be approached through education and behavioral change. Anti-phishing tips basically come down to common-sense advice about verifying financial communications before responding to them.

The latest spoofing scam takes bait-and-switch to a new level, hiding the switched information in plain sight -- right there on the page in front of us.

This new area of uncertainty will doubtless compound existing worries over data breaches and incidents like last week's coordinated attack on financial sites.

The result is an environment that may cause serious, and perhaps crippling, damage to already substantial concerns about the trustworthiness of online transactions.

Is there a point at which all of the levels of patches, verifications, firewalls, anti-virus definitions and the rest will become simply too much for many people to bother with? If so, the browser-spoofing vulnerability is likely to move many people one step closer to giving up. Let's hope not.

Test Your Browser's Spoofing Vulnerability

  • Secunia Browser Vulnerability Test

    Search The TechWeb Network

  • Phish
  • Spoof

    Get TechEncyclopedia Definitions

  • Spoofing

    Get White Papers

  • A Service-based Approach to the Email Fraud Problem
  • Security at the Next Level: Are Your Web Applications Vulnerable?

    This article originally appeared in InternetWeek, part of CMP Media's TechWeb. URL: http://www.internetweek.com/allStories/showArticle.jhtml?articleID=22104462