Paid Advertising
web application security lab

Dialogs Of Doom

So maluc and I went down the rabbit hole (again) looking for ways to screen scrape across domains using Java applets. You’d put a malicious Java applet on a page and an iframe to another domain that had sensitive information on it - then you’d use the Java applet to take a pixel by pixel screen shot and then log it for later analysis. Of course you can’t do it with Java, and for good reason, but you may be able to do it with Java Web Start. Of course there’s a security dialog but it’s pretty weakly worded and doesn’t look like it’s actually a security warning, so then I went down the path of looking at ways to force people to click on dialogs. The most obvious way is to float a whole bunch of JavaScript alerts in the same place right above where the “Yes” or “Always” buttons live hoping to trick them into clicking on the Java Web Start dialog.

But it got me thinking. People are fairly used to having to click on popups rather quickly to get rid of them and it it’s also fairly easy to change out the popups after a certain amount of clicks or if the rate of clicks reaches a certain threshold of clicks per minute. It’s also possible that those popups aren’t actually popups but rather DHTML that happen to look like popups and hover perfectly above where the more nefarious popup will come in once you are satisfied that the user is clicking quickly enough that they will inadvertently click on the Java Web Start dialog (or whatever type of dialog you are interested in getting them to click on).

Here’s what I came away with after this research: 1) users get frustrated easily, 2) they can’t tell the difference between good dialogs and bad dialogues when they are clicking quickly, 3) they will click on things if they think that by clicking on them they will get what they want (we already knew that from the porn movie codec malware guys) 4) because things like Java Web Start aren’t part of the chrome like the Information Bar or other chrome based notification, it’s easier to spoof, and 5) humans can’t tell the Z access of things in 2D objects so they can’t identify what is and isn’t a popup unless they have other issues during usability. It feels like there’s something exploitable here…

5 Responses to “Dialogs Of Doom”

  1. Owen Says:

    This is an interesting concept. Its a possibility that silverlight might work for this. I think you are right about people clicking on anything, especially if they get bombarded all at once and can’t tell which window / tab they are coming from.

    - Owen.

  2. Awesome AnDrEw Says:

    While it’s quite unusual it is also very clever. I think I am most captivated by the idea of copying each pixel from a frame for later inspection.

  3. thrill Says:

    Top right hand corner == go away, at least that’s what most user’s brains think.. unless someone like you comes around and puts the code to be clicked on that [X] instead.. ;)


  4. rvdh Says:

    They just hold the enter key if there are many alerts, people are too lazy to click away 50 alerts.

  5. X-Man Says:

    Is it possible to access local files trough a Java Applet?
    Changes the security dialog if you try different actions?