[LINK] Study shows pop-up warnings are ineffective
Ivan Trundle
ivan at itrundle.com
Tue Sep 30 09:49:59 AEST 2008
On 30/09/2008, at 9:46 AM, Marghanita da Cruz wrote:
> Ivan Trundle wrote:
>> On 30/09/2008, at 5:33 AM, Roger Clarke wrote:
>>> But this is link; and there are people out there who aren't
>>> amateurs
>>> like me. Can someone confirm or deny the reliability of 'Cancel'
>>> buttons?
>> No reliability at all. It's possible to script a function to do
>> anything at all from a cancel button (if the user permits
>> javascript et al to operate).
>> Whilst the DOM may try to interpret button action and behaviour,
>> there is nothing to prevent someone from creating any action from
>> any button with any name. The html you described is quite possible.
>> Even using the window close widget (OS-dependent) can evoke an
>> undesirable action.
>
> But isn't this covered the browser security functionality?
>
> ie while you may be able to download a file - pdf or exe opening/
> execution should be a different function.
Assuming that the code presents a known security issue that the
browser can detect and act upon, yes - this is correct.
However, there are enough unpatched and/or unintelligent browsers in
use to make malicious scripting a worthwhile exercise for nefarious
types.
However, making 'Cancel' do something other than cancel, but which is
NOT malicious, is unlikely to be trapped. For example, a 'cancel'
button that offers another pop-up asking if you really, really, really
want to cancel...
iT
>> May 2, 2006 (IDG News Service) -- Mozilla Corp. has released an
>> update to its Firefox browser, fixing a known security flaw in the
>> open-source software.
>> The bug, reported last week, involves the way Firefox handles
>> JavaScript code. It could be exploited by attackers to crash an
>> unpatched browser and, in theory, could also provide them with a
>> way to trick the browser into running malicious code, Mozilla said
>> in a security alert
>
More information about the Link
mailing list