Severity: Moderate/low
Problem description
A malicious page can be crafted to send the userto his banking site, and shortly afterwardsdisplay a dialog enticing the user to type inhis bank login credentials.
The dialog will appear in front of the bankingpage, while the window it really belongs to willbe hidden. If the timing and context is right,the message displayed in the dialog may be ableto deceive the user.
For example, the user goes to his banking sitefrom a Web page that happened to have a link tothat bank. If he got the link to that pagethrough e-mail, it could easily have come from ascammer.
Vulnerable versions of Opera
Any version that supports JavaScript. Testedon 6.1, 7.0 and 7.54.
Opera’s response
Opera Software has made a fix that preventsthis trick. The fix is available in the8.0 version of Opera, which is due later thisyear. A beta version of Opera 8.0 withthe fix is available for download.
We will not make a bugfix release for this.
There are other avenues of attack that can dobetter imitations and deceptions than thisparticular approach. Educating the users isthe best we can do.
Safety precaution
We advise users to always access their onlinebanks and vendors by way of bookmarks they havemade themselves, or by typing the address intothe address field. Never follow a link to atrusted site from a site that you do not fullytrust. This rule applies to any site where youwould enter sensitive information, such as yourcredit card number.
Extra precaution
If you only have one page (“tab”) open in Opera,this attack will not work. This precaution willguard you against several potential JavaScripttricks.
Credits
Thanks to Jakob Balle at Secunia for demonstratinghow delayed popups can be used for deception.