Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Abraham went on to demonstrate a Java applet–code that runs inside the browser–that could grant an attacker access to a user’s machine, including encrypted files, and to the machine’s microphone. To pull this off, the attacker has to get the user to click twice–once to visit a page the attacker control, and once to click through a browser warning. However, Abraham says that an attacker could disguise the applet as legitimate software related to programs the user has already installed.

While many of the attacks revealed by the pair need to be customized to a particular person, Abraham says it might be worth the effort if, for example, an attacker is trying to gain access to a particular company network.

Hansen adds that the attacks don’t call for much technical skill. “Most of the hard work has already been done for you,” he says, since many of the tools needed to pull off the attacks are freely available online.

Kate McKinley, a security researcher with San Francisco-based iSec Partners who studies browser privacy, agrees that plug-ins such as Flash can open up privacy holes. She notes that most browsers offer a feature that clears private data, but says this often doesn’t cover what is stored in plug-ins or certain newer browser features. Cookies stored in Flash, for example, can persist even when a user switches browsers, since they store data in a different dedicated location.

Users can protect themselves, Hansen says, but this means changing their online habits. For example, users need to get into the habit of questioning any dialogue boxes that are thrown up by the browser. “Are you willing to trade off usability for your security and privacy?” he asks. “There’s no easy answer, but we need to raise awareness of these issues.”

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Web, security, privacy, browsers, DEFCON

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me