[LINK] Study shows pop-up warnings are ineffective

Ivan Trundle ivan at itrundle.com
Tue Sep 30 09:49:59 AEST 2008


On 30/09/2008, at 9:46 AM, Marghanita da Cruz wrote:

> Ivan Trundle wrote:
>> On 30/09/2008, at 5:33 AM, Roger Clarke wrote:
>>> But this is link;  and there are people out there who aren't  
>>> amateurs
>>> like me.  Can someone confirm or deny the reliability of 'Cancel'
>>> buttons?
>> No reliability at all. It's possible to script a function to do   
>> anything at all from a cancel button (if the user permits  
>> javascript  et al to operate).
>> Whilst the DOM may try to interpret button action and behaviour,  
>> there  is nothing to prevent someone from creating any action from  
>> any button  with any name. The html you described is quite possible.
>> Even using the window close widget (OS-dependent) can evoke an   
>> undesirable action.
>
> But isn't this covered  the browser security functionality?
>
> ie while you may be able to download a file - pdf or exe opening/ 
> execution should be a different function.

Assuming that the code presents a known security issue that the  
browser can detect and act upon, yes - this is correct.

However, there are enough unpatched and/or unintelligent browsers in  
use to make malicious scripting a worthwhile exercise for nefarious  
types.

However, making 'Cancel' do something other than cancel, but which is  
NOT malicious, is unlikely to be trapped. For example, a 'cancel'  
button that offers another pop-up asking if you really, really, really  
want to cancel...

iT

>> May 2, 2006  (IDG News Service) -- Mozilla Corp. has released an  
>> update to its Firefox browser, fixing a known security flaw in the  
>> open-source software.
>> The bug, reported last week, involves the way Firefox handles  
>> JavaScript code. It could be exploited by attackers to crash an  
>> unpatched browser and, in theory, could also provide them with a  
>> way to trick the browser into running malicious code, Mozilla said  
>> in a security alert
>



More information about the Link mailing list