Imagine you’re a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done…

Now imagine you’re a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or — why not? — a whole fake desktop to collect user’s data.

Impossible wet dreams of clueless evildoers?
No, it’s just 100% Pure Java™ Reality.


If you’re using Opera or a Gecko-based browser, a similar full screen evil can be performed with just a few JavaScript lines. No need to compile and host any applet, thanks to the LiveConnect technology.

I’ve notified Sun on 29-Jul-2007.
My bug report has been evaluated and publicly disclosed by Sun yesterday (06-Aug-2007) as a request for enhancement.

Update (08-Aug-2007):

Looks like responsibly filing a bug in the Sun’s bug tracker, religiously waiting one week for its classification by Sun engineers and having it finally published by Sun itself as a non-security-related RFE is not enough to go public. I should have known that security reports should be submitted to security-alert at sun dot com to be properly handled. When Maarten Van Horenbeeck (SANS ISC) did it, Sun requested him to request me “to keep the issue confidential, and hold the blog post, till Sun has completely fixed it and is ready to issue a Sun Alert to warn users“. At that time, my post had been already out for some hours, read and commented by many “hackers” supporting full disclosure. Therefore, I respectfully answered (directly to security-alert at sun dot com, with SANS in CC) explaining why retracting it would have been useless, but apologized for my mishandled report and offered any other help, including my promise to use security-alert at sun dot com instead of the regular bug tracker for future responsible disclosures. I received no answer yet, but in the meanwhile my bug report has been reclassified and made inaccessible. I still wonder why should I have known better than a Sun Bug Tracker employee what the proper channel for a security report was…

Will this take more or less than ten days to be fixed?

In the meanwhile, NoScript is your friend ;)

Update (Oct-22-2007)

Issue fixed. Thanks, Sun.

Demos

  1. Applet based, works in any browser — (update: source code here)
  2. JavaScript based, works in Opera and Gecko-based browsers

Credits

Many thanks to:

116 Responses to “Pure Java™, Pure Evil™ Popups”

  1. #1 tx says:

    Ouch! nice find.

  2. #2 .mario says:

    Wow - I didn’t know this and this IS really scary. Great research, Giorgio, Dan and Ronald.

    Grx,
    .mario

  3. #3 Rosario says:

    Seems Mozilla will remove Liveconnect IF in the near future…
    http://boomswaggerboom.wordpress.com/2007/04/16/javaplugin-cleanup-for-mozilla-20/

  4. #4 scratchz says:

    nice post,,, i’ll fave this blog,,,

  5. #5 Evil Script Popups for all Browsers « scratchz’s code says:

    […] Keterangan tentang arikel ini juga dapat dilihat di link berikut ini : http://hackademix.net/2007/08/07/java-evil-popups/#comment-17 […]

  6. #6 Wyrd says:

    On multiple screen systems, it only “locks” one screen.

  7. #7 wingnut says:

    “[…] Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
    Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done… […]”

    Yes, a bug, but nothing as dramatic as you make it out to be. My menu bar remains visible, Exposé still functions, my browser’s keyboard shortcuts (for back, close tab, close window…) still function. Plenty of options for a graceful recovery.

  8. #8 edvin says:

    you can also, if using tabs, just kill the tab that opened the page/link.. no need to kill the browser it self, except with IE*

  9. #9 Andrew Pam says:

    Neither demo does anything at all using the Galeon browser on Ubuntu Linux 6.06 although the Java demo does work using Firefox. Yes, Galeon does have the latest Sun Java plugin installed.

  10. #10 John says:

    If you’ve got dual screens however…you still have the other screen, but that’s still scary

  11. #11 Maurice Reeves says:

    One thing I’ll point out is that I can get the Task Manager to sit on top of it if I hit “Always On Top” and then it’s easy to kill the applet. Also, this hack does depend on Java working correctly on people’s machines. I’ve seen plenty of situations ( my computer included ) where an Applet doesn’t work right because of competing VMs. Still, every impressive. Good job!

  12. #12 Vlad says:

    Just do alt+ space and close.
    no need to kill the browser.

    or alt+space .. move if you have more than one screen ( like me .. where my other screen was not covered

  13. #13 Dan says:

    How about putting a timer in so that the applet goes away after a minute or 2, and tell everyone that they’ll have control in 2 minutes etc…

    Just a thought.

    Great find — thanks for sharing it with everyone — I hope Sun gets off their asses soon. If I were in charge, I would send out an immediate patch that a child of an applet cannot create a window bigger than 600×480 — and people who browse at that resolution deserve to be incapacitated.

  14. #14 notentirelytrue says:

    In Opera 9.21, both of those methods can be closed by simply pressing ctrl+w.

    Additionally in both methods, the task bar and start menu never disappear, so you can also just right-click on your browser and close it.

    I mean, I agree that all browsers should come equipped with a no-script equivalent that is turned on by default, but this isn’t really a problem for Opera users who are technically-saavy (and I think all 7 of us probably are).

  15. #15 aaaa says:

    > Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.

    Immagine a “security researcher” so retarded he does not know you can close a window with ALT-F4.
    Security researcher my hairy ass.

  16. #16 Richard says:

    I think on Linux I’d be OK as the window manager on Linux allows me to be a bit more forceful with windows.
    I like NoScript though, if only to reduce bandwidth and processor usage when it doesn’t help me at all.

  17. #17 David says:

    Takes the screen with Firefox on a mac, but dock and menu bar are still visible and a simple cmd-w closes the window without problem. Same with Safari.

  18. #18 Dan says:

    regarding my earlier timer request — I did not try clicking on the page (there was no text visible on FF2.0.0.6 on FC6). I then tried it on OSX and saw the text — but also saw the dock, etc as others are reporting

  19. #19 hammarlund says:

    Yeah, big deal. I tried out the “one that works on all browsers”. Yeah, full screen, blah blah. Oh no, what am I ever going to do? cmd-w works, but something less drastic is cmd-[

    Back to the previous page.

    Big deal.

  20. #20 Todd says:

    Funny. I didn’t have any problems.
    WinXP Pro with Firefox 2.0.0.5 and a few tweaks, but Java and Javascript are enabled.
    I middle clicked on the link for the supposed “hack” and it opened in a new tab.
    Browser locked up for maybe 30 seconds and then everything was fine.
    No full screen anything.

    Is this a simple “ad” for the NoScript plugin?

  21. #21 Rob says:

    There are many good replies but some of you say that there are easy fixes that even the security researcher should have known. No fix is easy unless it can be widely taught. Most of the key-combos that will kill this thing are unknown to a vast majority of IE users. Those of us who are informed are probably already on something besides IE and know at least one of the keystroke shortcuts to killing this bug or have already downloaded no-script.
    All of us who know a thing or two should also help our uneducated friends and family. I am already sending an e-mail to my 67 year old mom to tell her some of the ways to kill this thing. She works at home and must use IE for the software to work.

  22. #22 Todd says:

    Addendum to my previous post.
    I have my Javascript set to NOT allow:
    -Move or resize windows
    -Raise or lower windows
    -Hide the status bar

  23. #23 Brandon K says:

    SUSE LINUX 10.2 w/ Firefox 2.0.0.5 and dual screens — This thing takes up both screens! Hides my KDE taskbar and prevents CTRL-W from closing the window. Nice find.

  24. #24 Zakaj je pametno uporabljati Firefox extension NoScript | sverde1's blog says:

    […] razlog za tole objavo pa je bila tale objava na blogu avtorja extensiona NoScript, ki je opozoril na dejstvo, da se da z preprostim Java […]

  25. #25 Erich says:

    Didn’t work on my system at all. I am using (fully updated) Kubuntu 7.04 and Firefox 2.0.0.6.

    I am not saying that only one screen was locked. I am saying that it didn’t work at all.

    The Javascript version merely opened a new window with the titlebar and what-not intact. The Java version crashed Firefox :)

    Here’s a screenshot if you don’t believe me:

  26. #26 Brian says:

    Funny. I tried this in Opera and Safari 3 on a Mac. Safari3, neither link did anything. Opera, both links opened a full screen “PWNED” page, but the Dock and top bar were still visible. Gets even better, Opera crashed and had to be Force Quit.

    The first link in FireFox (the applet one) can easily be closed with CMD+W. The second one doesn’t open.

    Neat trick.

  27. #27 Brian says:

    Ah.. double comment post! :P But I just read “AAAA’s” post and had to comment.

    “Immagine a “security researcher” so retarded he does not know you can close a window with ALT-F4.
    Security researcher my hairy ass.”

    Question isn’t whether the Security Researcher knows this, but how many end-users know that ALT+F4 will close a window. Many just know “X in corner means close” or “In Menu Bar on Mac click Applications Name then Quit”. Plus, with what I’ve seen with Opera on Mac, I’m not sure if ALT+F4 would close the window. Opera just kinda locked up.

  28. #28 George says:

    I use Opera, only the applet demo works, not the javascript one. Though I’ve been working with liveconnect lately and suspected this problem might exist (hence I found your post). Nice.

  29. #29 john says:

    Any browser under is OSX perfectly safe from this, as mentioned twice above.

  30. #30 Valdiss says:

    ^^ good point. most end users **cough….old people…cough cough** won’t know how to deal with something like this

  31. #31 Schoschie says:

    Tested on Camino (Gecko-based) running MacOS X.
    The JS version does nothing. The Java version worked.

    I also tried the java popup that you link to on http://www.0×000000.com/. This works, too. I can’t close the popup that is created by the JS code (I have to restart Camino).

    In Safari, apparently, neither of them work (because LiveConnect is not present in Safari, I guess).

    This is very scary. I hope this bug/feature gets “corrected” before spammers catch on.

  32. #32 Craig says:

    Everyone talks about just closing the screen and how this is not a big deal. Issue is what if the app is not taking the full screen, but simply sizes itself over your normal web content inside the window. You think you are just using your web browser, but meanwhile another application has control of what you see and what you are interacting with.

    Since sun has “hidden” the bug report I’m not sure about the details of this exploit. I think the big question would be whether or not the normal Applet sandbox limitations are circumvented. If you can open socket connections to anywhere at the same time that you can display whatever you want, things get really interesting.

  33. #33 hfollmann says:

    I noticed that if you are behind the proxy with authentication the java applet will ask for your credentials. If you do not enter them that demo does not work.
    The Java Applet cannot reuse the credentials of the browser it seems.

    -H

  34. #34 Matyas says:

    Could not reproduce on an older debian/iceape system, neither on AIX/firefox. The latter has java enabled but I am prompted to download a plugin, but then no plugin can be found for AIX.

  35. #35 Iain Collins says:

    I’m using a Mac (as I have done for 20-odd years), and I just instinctively hit Command-W to “close window” (which closes finder windows, browser tabs (or the browser window if it’s the last tab visible). Command-Left Arrow takes you back to the previous page (thus closing it too) just like normal as well.

    As other users have said, on the Mac, the tool bar and Dock remain visible while this window is open. You can equally use File-Close Window (or close tab) or open another page (which makes it go away).

    Annoying for most Firefox and IE users on Windows, but this has been possible for over 10 years with IE and JavaScript to size and position windows slightly larger than the screen, and slightly off screen.

  36. #36 Frank says:

    Weird… didn’t work at all on IE6 fully patched WinXP, Java 1.6.0 (build 1.6.0_02-b05).

  37. #37 Aedrin says:

    Many people here fail to see the problem.

    Yes, you can just AltTab out of it, close it with AltF4, or any of the other numerous ways.

    Now, imagine for a moment that people out there don’t know everything about their computer. Those “other” people. You’ve seen them in the wild, they exist.

    Suddenly your whole screen disappears (yes, some OSes keep the menu bar/start bar/[other] bar available, but most unknowing people use Windows and don’t change any settings). All you can do is sit through the entire ad, or not realize you’re not looking at your real desktop. Some people don’t know what to expect. So when their desktop looks slightly different, and it shows Windows asking for a serial key, or their SSN, what do you think they will do?

  38. #38 Adhominem says:

    With Konqueror, it at least shows “Java Applet Window” at the top, so I’m clued in this is not the real thing. Still, no means of closing except Strg+Alt+Esc and use xkill to shoot the bugger. The browser survives this, btw, only the Java VM is killed. KDE/X11 rules!

  39. #39 Zack says:

    in response to the person who said, just use Alt-f4. ALT-F4, ctrl-shift-w, ctrl-w, (last two are firefox controls) all did not work to close the applet if Java was enabled in my browser. This is on a fairly secured machine. Win XP patched yesterday, firefox 2.0.0.6. I had to use ctrl-alt-delete to get any form of control back on the primary display, and even then my only recourse was killing firefox.

    I had multiple monitors so I was no completely shut down, but as others have said this could be really nasty. I saw this used once before but luckily it was just an coding error and not an exploit attempt that time. Still a very nice find. Good work!

  40. #40 BobPaul says:

    You’re missing the L on HTML for your link to the javascript combo method.

  41. #41 Charlie Martin says:

    Actually, it doesn’t work for me (Mac Mini, OS/X 10.4.10, under Firefox 2.0.0.6 (at least.) The Pure Java(tm) version throws a method not found exception, the javascript version just opens a regular tab.

  42. #42 Charlie Martin says:

    … kinda sorta works in Java under Mozilla, solaris 10 u 3, but it’s just a normal window killable by normal X methods.

  43. #43 Me says:

    I was able to use alt-tab and the taskbar remained visible, but i can easily imagine my mother being totally confused andf tricked into entering anything on a “fake desktop” that doesnt even remotely look like hers.
    win XP, ff 2.0.0.6

  44. #44 Giorgio says:

    @BobPaul:
    Fixed, thanks. It’s worth noticing how most commenters here are tech-savvy enough to silently fix the link and go ahead ;)

    @All Mac OS X users:
    The different behavior reported by many of you is not surprising, since the Java Virtual Machine deployed by Apple is a different, albeit compatible, implementation of Sun’s Java specification developed by Apple itself.
    Also, window size and availability of an easy closing method may vary with the window manager in use, and reading your reports looks like OS X has a nice one, nicer than Win XP’s at least (see Zack’s post).

  45. #45 HardwareGuy says:

    This is not a bug, it is the intended behavior that java applets have. Yes it can be used for nefarious purposes, but it’s been around for so long you think someone would’ve exploited it by now if they were gunna. Any advertiser that tries to use this will instantly be universally hated and exposed. The greater threat is from phishers, but phishers can fool people with emails anyways so is this really that big of a deal?

  46. #46 Vernon Nemitz says:

    OK, I happen to use Windows95 with Mozilla 1.7.13, partly because I haven’t found much out there that targets this combination. Note I know if I switched to Linux my system might also not be targeted much NOW, but what about the future as Linux market share grows? Remember, Win95 did NOT come with IE built into it. It simply has fewer features than can be misused, than later versions of Windows, and likely has fewer features than recent versions of Linux –and the market share of Win95 has been declining ever since Win98, so no reason for it to become a deliberate target.

    Anyway, as evidence supporting the non-targeting of this system, I clicked on your “Applet based, works in any browser” link, and no, it didn’t work. It did crash the browser with a “this program has performed an illegal operation” error. But since restarting the browser is easier than being phished or otherwise scammed, I can accept that. So I returned to this page and clicked on the “JavaScript based, works in Opera and Gecko-based browsers” link, for which Mozilla qualifies, I THOUGHT. Well, normally when I click on a link I right-click and select the “open in new tab” option. I am certain that JavaScripted is enabled. But this Web page did not get covered by a popup. I clicked on the tab and that page also looked ordinary, not covered by a popup. I tried clicking on the JavaScript demo more than once. Eventually the browser crashed again, but I never saw a popup.

  47. #47 Things n’ Stuff » Blog Archive » Nice hack says:

    […] covered by slashdot, but its important enough so I’m mentioning it here: Giorgio Maone is a security researcher that has found a way to create the ultimate evil pop™ up using […]

  48. #48 Randy Smith says:

    No problem here with a Mac running the Safari Beta. The Java worked fine but I was able to get rid of the window via the close window in the file menu. I could have used a keyboar shortcut as well. Since I am running Safari Stand that adds extra functions to Safari such as a sidebar the Java did not touch what Safari Stand handles. Being a windows user as well I can see what havoc this could cause on a PC! Another good reason to surf the web with a Mac.

  49. #49 Metagg says:

    Metagg is tracking this post

    Find out what Social News Sites are discussing this post over at metagg.com

  50. #50 maximus says:

    Didn’t do a damn thing on my Ubuntu system (standard Feisty Fawn, FireFox, patches that come down through the OS).

  51. #51 anonymous says:

    Older JVMs not susceptible?

    Java(TM) Plug-in: Version 1.4.2_13
    Using JRE version 1.4.2_13 Java HotSpot(TM) Client VM
    User home directory = C:\Documents and Settings\xxxxx

    Proxy Configuration: Browser Proxy Configuration

    —————————————————-
    c: clear console window
    f: finalize objects on finalization queue
    g: garbage collect
    h: display this help message
    l: dump classloader list
    m: print memory usage
    o: trigger logging
    p: reload proxy configuration
    q: hide console
    r: reload policy configuration
    s: dump system properties
    t: dump thread list
    v: dump thread stack
    x: clear classloader cache
    0-5: set trace level to
    —————————————————-
    java.lang.UnsupportedClassVersionError: FullScreen (Unsupported major.minor version 49.0)
    at java.lang.ClassLoader.defineClass0(Native Method)
    at java.lang.ClassLoader.defineClass(Unknown Source)
    at java.security.SecureClassLoader.defineClass(Unknown Source)
    at sun.applet.AppletClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.applet.AppletClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.applet.AppletClassLoader.loadCode(Unknown Source)
    at sun.applet.AppletPanel.createApplet(Unknown Source)
    at sun.plugin.AppletViewer.createApplet(Unknown Source)
    at sun.applet.AppletPanel.runLoader(Unknown Source)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

  52. #52 ravkass says:

    I guess you have given script kids some food for joy.

  53. #53 Giorgio says:

    @Anonymous:
    Yes, you’re right. The applet was compiled targeting JRE 1.5.
    You may want to retry now, it’s retargeted to 1.2.

  54. #54 Isaac.Eiland-Hall.com » Blog Archive » Yet Another Java/Javascript Exploit says:

    […] hackademix.net: hackademix.net » Pure Java™, Pure Evil™ Popups Imagine you’re a web advertiser. Imagine you can open a popup window from a web page […]

  55. #55 spoofedpacket » Blog Archive » Don't open this link! says:

    […] the NoScript Firefox extension has highlighted a “mis-feature” in Java that allows an uncloseable, full-screen applet with no window decorations to be opened. There is a proof of concept applet available, but for the love of god don’t […]

  56. #56 Alfredo Juarez » Popup Blockers vulnerables - Programacion y algo mas... says:

    […] | Giorgio Maone August 8th, […]

  57. #57 Th says:

    This is yet another reason I always surf with javascript disabled. Allowing pages to run full fledged programs at a whim, in one’s browser, is a hugely stupid security risk, IMO. At LEAST require a “click to activate” warning page…

  58. #58 lj says:

    The trick doesn’t work with lynx…

  59. #59 Porter says:

    Hmmm.

    I noticed the following in the Java Console….

    Java Plug-in 1.6.0_01
    Using JRE version 1.6.0_01 Java HotSpot(TM) Client VM

    —————————————————-
    c: clear console window
    f: finalize objects on finalization queue
    g: garbage collect
    h: display this help message
    l: dump classloader list
    m: print memory usage
    o: trigger logging
    p: reload proxy configuration
    q: hide console
    r: reload policy configuration
    s: dump system and deployment properties
    t: dump thread list
    v: dump thread stack
    x: clear classloader cache
    0-5: set trace level to
    —————————————————-

    java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.awt.Window.setAlwaysOnTop(Unknown Source)
    at FullScreen.start(FullScreen.java:30)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

    Apparently - even though there’s a security setting that should prevent the always on top call - it’s not actually being enforced. Whoops.

  60. #60 Web 2.0 Announcer says:

    Pure Java?, Pure Evil? Popups

    […][…]

  61. #61 astfgl says:

    Interesting applet. However, when it goes full screen, my taskbar (Debian/Etch/KDE/Iceweasel) is still on top of the applet and I can drag the applet from one virtual desktop to another with it. Oh, and Alt-Left mouse button can still drag it around on the screen too. I suppose it could be a problem if you’re not paying attention.

    BTW, I just noticed an error on the Iceweasel’s status line:

    “error: Java.lang.NoSuchMethodError: java.awt.Window.setAlwaysOnTop(Z)V.”

  62. #62 Giorgio says:

    @Porter & astfgl:
    both issues fixed, thanks.

  63. #63 sepp0 says:

    Java S U C K S

    http://www.javasucks.com.ar and flash to http://www.flashsucks.com.ar

  64. #64 Brad says:

    Corporate executives especially in marketing are foaming at the mouth of this one, force you to watch their advertisement. I work at a off-site location and they set your browser where you cannot adjust the security settings and you are required to use IE. The security settings are set to “lax”. The corporate mgt basically tell you that Internet is a privilege and you are told that if you block pop-ups, you are considered a thief and it is not tolerated. You are not allowed to close the pop-up until you leave the site.

  65. #65 Nerdy Inverse Network » The java popup you can’t stop says:

    […] blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole […]

  66. #66 kahn says:

    sorry i quite dont get the point of this.
    who on heavens earth is surfing with active java?
    i guess only the ppl who klick on attachments like “paris_hilton_nude.JPG.exe”

  67. #67 Fred P. says:

    Does not work on IE 6.0.2800.1106 with Java and JavaScript Enabled.
    Works perfectly on my Firefox 2.0.0.3 with Java and JavaScript Enabled tough.

  68. #68 MBraedley says:

    I think I’ll go roll up into a foetal position on my bed now.

    And here I thought my 4 virtual desktops provided by Beryl would save me.

  69. #69 supermoose says:

    Safari on OS X : jumps to full screen and all but i dont get any text to display. Quite scary anyway. nice catch

  70. #70 she says:

    wow really nice

    i think thats some way to say that the web OS could be renamed phishing OS ;)

  71. #71 erik-k says:

    The applet worked on Gentoo Linux / KDE-3.5.5 / Konqueror, JS didn’t.

    I think that on Linux and X the simplest solution is to Ctl-Alt-Fn to another console, login, kill -9 the offending process, then Ctl-Alt-Fn back to the desktop. I don’t think it’s possible for any GUI app to stop that.

  72. #72 Shalev says:

    Of course, being the curious lad I am I immediately clicked the link to the test. It worked, and my entire 23 tabs of browser were hidden… forever? Determined not to shut down my browser I leapt into action - spamming the “preferences” hotkey at lightning speed with one hand while clicking furiously on where the “Enable Java” checkbox was.

    The bug was no match for my click-fu and the black screen disappeared as soon as I cut off its evil power. Take that, random superbugs!

  73. #73 Daniel says:

    Doesn’t work on FF 2.0.6 on Win XP SP2. Windows bar still visible, easy to escape out of. Not impressed.

  74. #74 james says:

    This may be “no big deal” to some of you who are more technically adept at pressing keyboard shortcuts that are not generally known by the public. This could happen to your child, he’d be sitting there surfing sites and then suddenly he’s staring at a full screen of Britney’s behind and he doesn’t see any way of closing the window… Worse is if were Lindsay’s…

  75. #75 Anonymous says:

    Your script is not working with Seamonkey 1.1.2, why?

  76. #76 Anonymous says:

    Ok. I had not Java on my machine, sorry for my noob question :)

  77. #77 Bartek says:

    Ctrl + F4 in Opera

  78. #78 Peter says:

    So where is this Evil popup ???
    i’m using Avant brouwser (kind of onion holder for IE 6.x)
    And I dont got any problems here with any links on this page (closing is no problem, nor do they do get in the way).
    Apperently my own popups works better then the one posted here ? (or is it not here)

  79. #79 Swfblag » Blog Archive » Too much space says:

    […] just been reading about the new Java popup exploit. It’s one of the “too much space” problems: applications are given the ability to […]

  80. #80 Thoralf says:

    Always interesting to see how self-centered geeks can be, completely ignoring that there is a world out there with people that don’t know each and every shortcut by heart, with ppl that can get easily tricked by some fake windows.

    This problem is definitely a major issue and needs to get addressed as soon as possible.

  81. #81 Beanpicks says:

    Evil fun with Java ;-)

    btw, who said that there could not be that evil laughter when you are writing Java?
    http://evil.hackademix.net/fullscreen/applet.html

  82. #82 Beware evil pop-ups | Technology Live says:

    […] Maone - the programmer behind a popular Firefox ad-blocking plug-in called No-Script - has revealed how to completely defeat normal pop-up blockers using the Java programming […]

  83. #83 king says:

    Please publish the source… For purely educative purpose

  84. #84 Busca-Chilpo-Webs » Blog Archive » Sun: tenemos un problema… says:

    […] comienza la teatral (pero realista) descripción del problema que ha descubierto Giorgio Maone (creador de NoScript), que reside en una vulnerabilidad de Java y […]

  85. #85 Walenzack says:

    On Windows Vista with latest version of Firefox, both full screen windows can be minimized and Firefox works exactly as well as before, no blocking at all.
    So I’ll label this as a cool feature rather than as a security issue.

  86. #86 Popups-The next generation | Global Toad News says:

    […] there are a new wave of popups out there, according to hackademix.net; Imagine you’re a web advertiser. Imagine you can open a popup window from a web page defeating […]

  87. #87 IFTBQP ~ Social living » hackademix.net » Pure Java™, Pure Evil™ Popups says:

    […] hackademix.net » Pure Java™, Pure Evil™ Popups […]

  88. #88 Schuenemann says:

    Another interesting extension for Firefox is “Controle de Scripts”. With it, you can enable/disable certain scripts, like resizing windows, removing toolbar/buttons/etc, switching images and many more.
    Works great with NoScript.

  89. #89 xjavas says:

    This has been discovered/reported a while back.. nice try

  90. #90 missmak.com » Blog Archive » Kill It!! says:

    […] hackademix.net […]

  91. #91 Rumboard » Evil Popups says:

    […] the article for additional information and also neat examples of the pop-ups in […]

  92. #92 wow says:

    Amazing how many people missed the point… nice to see that some people get it…
    http://hackademix.net/2007/08/07/java-evil-popups#comment-46

    Re-read the article if you think this is just about knowing how to close a window… (especially you, aaaa…comprehension is evidently not your strong suit…)

  93. #93 Kade says:

    wow I would love to learn how to make my own!

  94. #94 Carl says:

    Here are my steps to stopping the annoyance in WindowsXP Firefox 2.0.0.6:

    The first demo, I used ctrl-F4 sequence. (kills firefox browser application)

    The second demo, I hit the Window key (The one next to the Alt-key) to bring up the taskbar then right click on the firefox app (title task at the bottom) to select close option. (kills firefox browser application)…

    Check your proxy logs and start hunting these folks down.

  95. #95 Up all night « Nothing to see here. Move along. says:

    […] evil. Don’t believe me? Click Here. That’s some very scary shit. Thanks to the folks at Hackademix, via Slashdot, via Google Notebook Firefox extension. I’ve got lots of blog entry wannabes […]

  96. #96 Bob says:

    I usually don’t use IE, but tried IE7 in Vista to see your demo. As I use Firefox and No-Scripts it is not a problem for me, but scary that a malicious site could reduce an average user to killing their browser.

  97. #97 Grave error de Java: Un nuevo tipo de Popup | xkod says:

    […] comienza el teatral/realista articulo del problema que ha descubierto Giorgio Maone (creador de NoScript), que reside en una vulnerabilidad de Java y […]

  98. #98 Markon says:

    Use NoScript!!!!!
    It’s one of the best Firefox Plugin ;)

    And made by G. Maone naturally :-)
    PS: to block advertiser use also AdBlockPlus:
    https://addons.mozilla.org/it/firefox/addon/722 = NoScript
    https://addons.mozilla.org/it/firefox/addon/1865 = AdBlockPlus

    Bye ;)

  99. #99 Java: Arma de Doble Filo « ATRAPADOS EN LA RED says:

    […] inspirado y traducido de Hackademix, encontrado vía Reddit. Explore posts in the same categories: Seguridad, Publicidad, Popup, IE, […]

  100. #100 Terminally Incoherent » Blog Archive » Do Not Click This Link says:

    […] if for some reason you can’t click out of the popup to see the article here is the safe link. tags: popips, evil, 10 fucking days, java, […]

  101. #101 Matteo says:

    Good point! This issue has also been discussed on JavaPosse podcast (episode 137)

  102. #102 Ivan says:

    Hi all, very good code!!!!! but I´m interesting to see the fullscreen.class code ? IS iT POSSIBLE?
    view the code = fullscreen.class

    Thanks you all….

  103. #103 2007.08.15 Daily Security Reading « Rodney Campbell’s Blog says:

    […] Evil Java Full-Screen PopUp […]

  104. #104 Byte Into It - Computing and new technology Byte Into IT - 22 Aug 2007 « says:

    […] Byte Into IT - 22 Aug 2007 August 22nd, 2007 — byteintoit http://hackademix.net/2007/08/07/java-evil-popups […]

  105. #105 hackademix.net » Hey Dude, Where's Your Code? says:

    […] the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the […]

  106. #106 חטיפת מידע מהדסקטופ » ZuLL, יומנו של האקר. says:

    […] http://hackademix.net/2007/08/07/java-evil-popups/ שתפו ותהנו:צלמיות אלו מקשרות לאתרי סימניות משותפות בהם קוראים יכולים לשתף ולגלות אתרים חדשים. […]

  107. #107 Links for 9 August 2007 - 6 September 2007 :: Col’s Tech Stuff says:

    […] Pure Java?, Pure Evil? Popups - Nasty, very nasty little bug in Java. I’ve not seen this being abused in the wild yet, but I don’t think it’ll be long before it is. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. […]

  108. #108 Web na Veia » A popup do mal says:

    […] hackademix.net Pure Java Full Screen Demo […]

  109. #109 nick botulism says:

    YAWN. this is nothing.

  110. #110 hackademix.net » Java, Quicktime and Other Good News says:

    […] Java evil popups I demonstrated two months ago have been addressed by […]

  111. #111 59 23 * * 0 flush » דפדף, חביבי, דפדף says:

    […] ההאקר הטוב hackademix.net מספר לקוראיו בהרחבה על באג בטיחות שמצא, רחמנא לצלן, בג’אווה: דמיין שאתה מפרסם ברשת… דמיין שביכולתך לפתוח חלון […]

  112. #112 Danny says:

    Just hit the backspace key, or ctr+w to close that specific tab… done.

  113. #113 Giorgio says:

    @Danny:
    You know, bugs get fixed, sooner or later…

  114. #114 Things n’ Stuff » Blog Archive » Nice hack says:

    […] covered by slashdot, but its important enough so I’m mentioning it here: Giorgio Maone is a security researcher that has found a way to create the ultimate evil pop™ up using […]

  115. #115 Top 10 Web Hacks for 2007 « John’s Blog says:

    […] Validation Bypass Vulnerability (POC) Non-Alpha-Non-Digit 3 Steal History without JavaScript Pure Java™, Pure Evil™ Popups Google Adsense CSRF hole There’s an OAK TREE in my blog!?!?! BK for Mayor of Oak Tree View […]

  116. #116 大西瓜的杂货铺 » 四年300个攻击技术总结(2006-2009) says:

    […] Validation Bypass Vulnerability 72.Non-Alpha-Non-Digit 3 73.Steal History without JavaScript 74.Pure Java??, Pure Evil?? Popups 75.Google Adsense CSRF hole 76.There’s an OAK TREE in my blog!?!?! 77.BK for Mayor of Oak Tree […]

Bad Behavior has blocked 33516 access attempts in the last 7 days.