Abraham went on to demonstrate a Java applet–code that runs inside the browser–that could grant an attacker access to a user’s machine, including encrypted files, and to the machine’s microphone. To pull this off, the attacker has to get the user to click twice–once to visit a page the attacker control, and once to click through a browser warning. However, Abraham says that an attacker could disguise the applet as legitimate software related to programs the user has already installed.
While many of the attacks revealed by the pair need to be customized to a particular person, Abraham says it might be worth the effort if, for example, an attacker is trying to gain access to a particular company network.
Hansen adds that the attacks don’t call for much technical skill. “Most of the hard work has already been done for you,” he says, since many of the tools needed to pull off the attacks are freely available online.
Kate McKinley, a security researcher with San Francisco-based iSec Partners who studies browser privacy, agrees that plug-ins such as Flash can open up privacy holes. She notes that most browsers offer a feature that clears private data, but says this often doesn’t cover what is stored in plug-ins or certain newer browser features. Cookies stored in Flash, for example, can persist even when a user switches browsers, since they store data in a different dedicated location.
Users can protect themselves, Hansen says, but this means changing their online habits. For example, users need to get into the habit of questioning any dialogue boxes that are thrown up by the browser. “Are you willing to trade off usability for your security and privacy?” he asks. “There’s no easy answer, but we need to raise awareness of these issues.”