Skip to Content

A Portal to Your Passwords

A Web browser loophole could make it easier for crooks to scam the unwary.
January 20, 2009

A thief wanting to make cash by stealing sensitive information online can break into the banking systems that store such data or grab it as it travels over an insecure connection. But these days, it’s much easier to go “phishing” instead–in other words, to convince unwary Internet users to hand over such information themselves. To do this, phishers typically design fake versions of real websites–like a bank or an online retailer–and lure unwitting Web surfers into entering their login data or credit-card details. A common ploy is to sucker them in with an e-mail that claims to come from a real bank but actually contains links to one of the phishers’ bogus sites.

Would-be victims are growing familiar with this basic phishing attack, however, and many e-mail and browser vendors have introduced countermeasures to protect them. So phishers are searching for new ways to sting the unwary, says Amit Klein, CTO of Trusteer, based in Tel Aviv, Israel. For example, the microblogging site Twitter is increasingly being used to distribute phishing links.

Nonetheless, Klein says that “the [basic] attack will not be as successful in the future as it has been up until now,” and in an effort to prevent future phishing attacks, his company is looking for better ways to con people out of cash before the bad guys can. A worrying new tactic being explored by some phishers, says Klein, involves hacking into a legitimate website in order to inject malicious code that throws up a pop-up window requesting individuals’ usernames and passwords for a banking site. This approach is of limited value, however, since most users will be suspicious of the sudden request.

A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for “in-session phishing” and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.

Phishing 2.0: A vulnerability recently discovered by security company Trusteer would allow attackers to launch pop-ups matching those of a bank that a user is already logged in to, as shown above.

The core vulnerability discovered by the Israeli researchers is a Web browser flaw that lets the phisher see what other websites a person is visiting. Klein explains that a certain JavaScript function, commonly used by online retailers, financial institutions, and other sites, leaves a footprint revealing that the user is logged in to that site. Klein says that protections such as pop-up blockers wouldn’t necessarily derail the attack because the hacked site could itself be altered to seem like a request to log in again.

“I think it is great that we are trying to identify additional venues of phishing attacks such as this,” says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. “The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community,” he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: “Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits.”

Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.

Deep Dive


The race to destroy PFAS, the forever chemicals 

Scientists are showing these damaging compounds can be beat.

Capitalizing on machine learning with collaborative, structured enterprise tooling teams

Machine learning advances require an evolution of processes, tooling, and operations.

How scientists are being squeezed to take sides in the conflict between Israel and Palestine

Tensions over the war are flaring on social media—with real-life ramifications.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.