Imagine you're a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can't move or minimize this popup. It will go away only when the browser is killed or your show is done...
Now imagine you're a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or -- why not? -- a whole fake desktop to collect user's data.
Impossible wet dreams of clueless evildoers?
No, it's just 100% Pure Java™ Reality.
If you're using Opera or a Gecko-based browser, a similar full screen evil can be performed with just a few JavaScript lines. No need to compile and host any applet, thanks to the LiveConnect technology.
I've notified Sun on 29-Jul-2007.
My bug report has been evaluated and publicly disclosed by Sun yesterday (06-Aug-2007) as a request for enhancement.
Update (08-Aug-2007):
Looks like responsibly filing a bug in the Sun's bug tracker, religiously waiting one week for its classification by Sun engineers and having it finally published by Sun itself as a non-security-related RFE is not enough to go public. I should have known that security reports should be submitted to security-alert at sun dot com to be properly handled. When Maarten Van Horenbeeck (SANS ISC) did it, Sun requested him to request me "to keep the issue confidential, and hold the blog post, till Sun has completely fixed it and is ready to issue a Sun Alert to warn users". At that time, my post had been already out for some hours, read and commented by many "hackers" supporting full disclosure. Therefore, I respectfully answered (directly to security-alert at sun dot com, with SANS in CC) explaining why retracting it would have been useless, but apologized for my mishandled report and offered any other help, including my promise to use security-alert at sun dot com instead of the regular bug tracker for future responsible disclosures. I received no answer yet, but in the meanwhile my bug report has been reclassified and made inaccessible. I still wonder why should I have known better than a Sun Bug Tracker employee what the proper channel for a security report was...
Will this take more or less than ten days to be fixed?
In the meanwhile, NoScript is your friend ;)
Update (Oct-22-2007)
Issue fixed. Thanks, Sun.
Demos
- Applet based, works in any browser -- (update: source code here)
- JavaScript based, works in Opera and Gecko-based browsers
Credits
Many thanks to:
- Ronald van den Heetkamp for early inspiration
- Dan Veditz (Mozilla)
- timeless
August 7th, 2007 at 3:38 pm
Ouch! nice find.
August 7th, 2007 at 4:02 pm
Wow - I didn't know this and this IS really scary. Great research, Giorgio, Dan and Ronald.
Grx,
.mario
August 7th, 2007 at 10:48 pm
Seems Mozilla will remove Liveconnect IF in the near future...
http://boomswaggerboom.wordpress.com/2007/04/16/javaplugin-cleanup-for-mozilla-20/
August 7th, 2007 at 11:08 pm
nice post,,, i'll fave this blog,,,
August 8th, 2007 at 12:22 am
[...] Keterangan tentang arikel ini juga dapat dilihat di link berikut ini : http://hackademix.net/2007/08/07/java-evil-popups/#comment-17 [...]
August 8th, 2007 at 11:08 am
On multiple screen systems, it only "locks" one screen.
August 8th, 2007 at 11:21 am
"[...] Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done… [...]"
Yes, a bug, but nothing as dramatic as you make it out to be. My menu bar remains visible, Exposé still functions, my browser's keyboard shortcuts (for back, close tab, close window...) still function. Plenty of options for a graceful recovery.
August 8th, 2007 at 11:22 am
you can also, if using tabs, just kill the tab that opened the page/link.. no need to kill the browser it self, except with IE*
August 8th, 2007 at 11:23 am
Neither demo does anything at all using the Galeon browser on Ubuntu Linux 6.06 although the Java demo does work using Firefox. Yes, Galeon does have the latest Sun Java plugin installed.
August 8th, 2007 at 11:30 am
If you've got dual screens however...you still have the other screen, but that's still scary
August 8th, 2007 at 11:31 am
One thing I'll point out is that I can get the Task Manager to sit on top of it if I hit "Always On Top" and then it's easy to kill the applet. Also, this hack does depend on Java working correctly on people's machines. I've seen plenty of situations ( my computer included ) where an Applet doesn't work right because of competing VMs. Still, every impressive. Good job!
August 8th, 2007 at 11:34 am
Just do alt+ space and close.
no need to kill the browser.
or alt+space .. move if you have more than one screen ( like me .. where my other screen was not covered
August 8th, 2007 at 11:40 am
How about putting a timer in so that the applet goes away after a minute or 2, and tell everyone that they'll have control in 2 minutes etc...
Just a thought.
Great find -- thanks for sharing it with everyone -- I hope Sun gets off their asses soon. If I were in charge, I would send out an immediate patch that a child of an applet cannot create a window bigger than 600x480 -- and people who browse at that resolution deserve to be incapacitated.
August 8th, 2007 at 11:51 am
In Opera 9.21, both of those methods can be closed by simply pressing ctrl+w.
Additionally in both methods, the task bar and start menu never disappear, so you can also just right-click on your browser and close it.
I mean, I agree that all browsers should come equipped with a no-script equivalent that is turned on by default, but this isn't really a problem for Opera users who are technically-saavy (and I think all 7 of us probably are).
August 8th, 2007 at 11:52 am
> Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Immagine a "security researcher" so retarded he does not know you can close a window with ALT-F4.
Security researcher my hairy ass.
August 8th, 2007 at 12:02 pm
I think on Linux I'd be OK as the window manager on Linux allows me to be a bit more forceful with windows.
I like NoScript though, if only to reduce bandwidth and processor usage when it doesn't help me at all.
August 8th, 2007 at 12:06 pm
Takes the screen with Firefox on a mac, but dock and menu bar are still visible and a simple cmd-w closes the window without problem. Same with Safari.
August 8th, 2007 at 12:18 pm
regarding my earlier timer request -- I did not try clicking on the page (there was no text visible on FF2.0.0.6 on FC6). I then tried it on OSX and saw the text -- but also saw the dock, etc as others are reporting
August 8th, 2007 at 12:20 pm
Yeah, big deal. I tried out the "one that works on all browsers". Yeah, full screen, blah blah. Oh no, what am I ever going to do? cmd-w works, but something less drastic is cmd-[
Back to the previous page.
Big deal.
August 8th, 2007 at 12:20 pm
Funny. I didn't have any problems.
WinXP Pro with Firefox 2.0.0.5 and a few tweaks, but Java and Javascript are enabled.
I middle clicked on the link for the supposed "hack" and it opened in a new tab.
Browser locked up for maybe 30 seconds and then everything was fine.
No full screen anything.
Is this a simple "ad" for the NoScript plugin?
August 8th, 2007 at 12:23 pm
There are many good replies but some of you say that there are easy fixes that even the security researcher should have known. No fix is easy unless it can be widely taught. Most of the key-combos that will kill this thing are unknown to a vast majority of IE users. Those of us who are informed are probably already on something besides IE and know at least one of the keystroke shortcuts to killing this bug or have already downloaded no-script.
All of us who know a thing or two should also help our uneducated friends and family. I am already sending an e-mail to my 67 year old mom to tell her some of the ways to kill this thing. She works at home and must use IE for the software to work.
August 8th, 2007 at 12:24 pm
Addendum to my previous post.
I have my Javascript set to NOT allow:
-Move or resize windows
-Raise or lower windows
-Hide the status bar
August 8th, 2007 at 12:27 pm
SUSE LINUX 10.2 w/ Firefox 2.0.0.5 and dual screens -- This thing takes up both screens! Hides my KDE taskbar and prevents CTRL-W from closing the window. Nice find.
August 8th, 2007 at 12:29 pm
[...] razlog za tole objavo pa je bila tale objava na blogu avtorja extensiona NoScript, ki je opozoril na dejstvo, da se da z preprostim Java [...]
August 8th, 2007 at 12:32 pm
Didn't work on my system at all. I am using (fully updated) Kubuntu 7.04 and Firefox 2.0.0.6.
I am not saying that only one screen was locked. I am saying that it didn't work at all.
The Javascript version merely opened a new window with the titlebar and what-not intact. The Java version crashed Firefox :)
Here's a screenshot if you don't believe me:
August 8th, 2007 at 12:33 pm
Funny. I tried this in Opera and Safari 3 on a Mac. Safari3, neither link did anything. Opera, both links opened a full screen "PWNED" page, but the Dock and top bar were still visible. Gets even better, Opera crashed and had to be Force Quit.
The first link in FireFox (the applet one) can easily be closed with CMD+W. The second one doesn't open.
Neat trick.
August 8th, 2007 at 12:38 pm
Ah.. double comment post! :P But I just read "AAAA's" post and had to comment.
"Immagine a “security researcher” so retarded he does not know you can close a window with ALT-F4.
Security researcher my hairy ass."
Question isn't whether the Security Researcher knows this, but how many end-users know that ALT+F4 will close a window. Many just know "X in corner means close" or "In Menu Bar on Mac click Applications Name then Quit". Plus, with what I've seen with Opera on Mac, I'm not sure if ALT+F4 would close the window. Opera just kinda locked up.
August 8th, 2007 at 12:49 pm
I use Opera, only the applet demo works, not the javascript one. Though I've been working with liveconnect lately and suspected this problem might exist (hence I found your post). Nice.
August 8th, 2007 at 1:01 pm
Any browser under is OSX perfectly safe from this, as mentioned twice above.
August 8th, 2007 at 1:02 pm
^^ good point. most end users **cough....old people...cough cough** won't know how to deal with something like this
August 8th, 2007 at 1:03 pm
Tested on Camino (Gecko-based) running MacOS X.
The JS version does nothing. The Java version worked.
I also tried the java popup that you link to on http://www.0x000000.com/. This works, too. I can't close the popup that is created by the JS code (I have to restart Camino).
In Safari, apparently, neither of them work (because LiveConnect is not present in Safari, I guess).
This is very scary. I hope this bug/feature gets "corrected" before spammers catch on.
August 8th, 2007 at 1:05 pm
Everyone talks about just closing the screen and how this is not a big deal. Issue is what if the app is not taking the full screen, but simply sizes itself over your normal web content inside the window. You think you are just using your web browser, but meanwhile another application has control of what you see and what you are interacting with.
Since sun has "hidden" the bug report I'm not sure about the details of this exploit. I think the big question would be whether or not the normal Applet sandbox limitations are circumvented. If you can open socket connections to anywhere at the same time that you can display whatever you want, things get really interesting.
August 8th, 2007 at 1:06 pm
I noticed that if you are behind the proxy with authentication the java applet will ask for your credentials. If you do not enter them that demo does not work.
The Java Applet cannot reuse the credentials of the browser it seems.
-H
August 8th, 2007 at 1:12 pm
Could not reproduce on an older debian/iceape system, neither on AIX/firefox. The latter has java enabled but I am prompted to download a plugin, but then no plugin can be found for AIX.
August 8th, 2007 at 1:16 pm
I'm using a Mac (as I have done for 20-odd years), and I just instinctively hit Command-W to "close window" (which closes finder windows, browser tabs (or the browser window if it's the last tab visible). Command-Left Arrow takes you back to the previous page (thus closing it too) just like normal as well.
As other users have said, on the Mac, the tool bar and Dock remain visible while this window is open. You can equally use File-Close Window (or close tab) or open another page (which makes it go away).
Annoying for most Firefox and IE users on Windows, but this has been possible for over 10 years with IE and JavaScript to size and position windows slightly larger than the screen, and slightly off screen.
August 8th, 2007 at 1:17 pm
Weird... didn't work at all on IE6 fully patched WinXP, Java 1.6.0 (build 1.6.0_02-b05).
August 8th, 2007 at 1:46 pm
Many people here fail to see the problem.
Yes, you can just AltTab out of it, close it with AltF4, or any of the other numerous ways.
Now, imagine for a moment that people out there don't know everything about their computer. Those "other" people. You've seen them in the wild, they exist.
Suddenly your whole screen disappears (yes, some OSes keep the menu bar/start bar/[other] bar available, but most unknowing people use Windows and don't change any settings). All you can do is sit through the entire ad, or not realize you're not looking at your real desktop. Some people don't know what to expect. So when their desktop looks slightly different, and it shows Windows asking for a serial key, or their SSN, what do you think they will do?
August 8th, 2007 at 1:48 pm
With Konqueror, it at least shows "Java Applet Window" at the top, so I'm clued in this is not the real thing. Still, no means of closing except Strg+Alt+Esc and use xkill to shoot the bugger. The browser survives this, btw, only the Java VM is killed. KDE/X11 rules!
August 8th, 2007 at 2:12 pm
in response to the person who said, just use Alt-f4. ALT-F4, ctrl-shift-w, ctrl-w, (last two are firefox controls) all did not work to close the applet if Java was enabled in my browser. This is on a fairly secured machine. Win XP patched yesterday, firefox 2.0.0.6. I had to use ctrl-alt-delete to get any form of control back on the primary display, and even then my only recourse was killing firefox.
I had multiple monitors so I was no completely shut down, but as others have said this could be really nasty. I saw this used once before but luckily it was just an coding error and not an exploit attempt that time. Still a very nice find. Good work!
August 8th, 2007 at 2:22 pm
You're missing the L on HTML for your link to the javascript combo method.
August 8th, 2007 at 2:31 pm
Actually, it doesn't work for me (Mac Mini, OS/X 10.4.10, under Firefox 2.0.0.6 (at least.) The Pure Java(tm) version throws a method not found exception, the javascript version just opens a regular tab.
August 8th, 2007 at 2:35 pm
... kinda sorta works in Java under Mozilla, solaris 10 u 3, but it's just a normal window killable by normal X methods.
August 8th, 2007 at 2:36 pm
I was able to use alt-tab and the taskbar remained visible, but i can easily imagine my mother being totally confused andf tricked into entering anything on a "fake desktop" that doesnt even remotely look like hers.
win XP, ff 2.0.0.6
August 8th, 2007 at 2:36 pm
@BobPaul:
Fixed, thanks. It's worth noticing how most commenters here are tech-savvy enough to silently fix the link and go ahead ;)
@All Mac OS X users:
The different behavior reported by many of you is not surprising, since the Java Virtual Machine deployed by Apple is a different, albeit compatible, implementation of Sun's Java specification developed by Apple itself.
Also, window size and availability of an easy closing method may vary with the window manager in use, and reading your reports looks like OS X has a nice one, nicer than Win XP's at least (see Zack's post).
August 8th, 2007 at 2:37 pm
This is not a bug, it is the intended behavior that java applets have. Yes it can be used for nefarious purposes, but it's been around for so long you think someone would've exploited it by now if they were gunna. Any advertiser that tries to use this will instantly be universally hated and exposed. The greater threat is from phishers, but phishers can fool people with emails anyways so is this really that big of a deal?
August 8th, 2007 at 2:43 pm
OK, I happen to use Windows95 with Mozilla 1.7.13, partly because I haven't found much out there that targets this combination. Note I know if I switched to Linux my system might also not be targeted much NOW, but what about the future as Linux market share grows? Remember, Win95 did NOT come with IE built into it. It simply has fewer features than can be misused, than later versions of Windows, and likely has fewer features than recent versions of Linux --and the market share of Win95 has been declining ever since Win98, so no reason for it to become a deliberate target.
Anyway, as evidence supporting the non-targeting of this system, I clicked on your "Applet based, works in any browser" link, and no, it didn't work. It did crash the browser with a "this program has performed an illegal operation" error. But since restarting the browser is easier than being phished or otherwise scammed, I can accept that. So I returned to this page and clicked on the "JavaScript based, works in Opera and Gecko-based browsers" link, for which Mozilla qualifies, I THOUGHT. Well, normally when I click on a link I right-click and select the "open in new tab" option. I am certain that JavaScripted is enabled. But this Web page did not get covered by a popup. I clicked on the tab and that page also looked ordinary, not covered by a popup. I tried clicking on the JavaScript demo more than once. Eventually the browser crashed again, but I never saw a popup.
August 8th, 2007 at 2:56 pm
[...] covered by slashdot, but its important enough so I’m mentioning it here: Giorgio Maone is a security researcher that has found a way to create the ultimate evil pop™ up using [...]
August 8th, 2007 at 3:10 pm
No problem here with a Mac running the Safari Beta. The Java worked fine but I was able to get rid of the window via the close window in the file menu. I could have used a keyboar shortcut as well. Since I am running Safari Stand that adds extra functions to Safari such as a sidebar the Java did not touch what Safari Stand handles. Being a windows user as well I can see what havoc this could cause on a PC! Another good reason to surf the web with a Mac.
August 8th, 2007 at 3:30 pm
Metagg is tracking this post
Find out what Social News Sites are discussing this post over at metagg.com
August 8th, 2007 at 4:05 pm
Didn't do a damn thing on my Ubuntu system (standard Feisty Fawn, FireFox, patches that come down through the OS).
August 8th, 2007 at 4:11 pm
Older JVMs not susceptible?
Java(TM) Plug-in: Version 1.4.2_13
Using JRE version 1.4.2_13 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\xxxxx
Proxy Configuration: Browser Proxy Configuration
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to
----------------------------------------------------
java.lang.UnsupportedClassVersionError: FullScreen (Unsupported major.minor version 49.0)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
August 8th, 2007 at 4:16 pm
I guess you have given script kids some food for joy.
August 8th, 2007 at 4:28 pm
@Anonymous:
Yes, you're right. The applet was compiled targeting JRE 1.5.
You may want to retry now, it's retargeted to 1.2.
August 8th, 2007 at 4:36 pm
[...] hackademix.net: hackademix.net » Pure Java™, Pure Evil™ Popups Imagine you’re a web advertiser. Imagine you can open a popup window from a web page [...]
August 8th, 2007 at 4:37 pm
[...] the NoScript Firefox extension has highlighted a “mis-feature” in Java that allows an uncloseable, full-screen applet with no window decorations to be opened. There is a proof of concept applet available, but for the love of god don’t [...]
August 8th, 2007 at 5:44 pm
[...] | Giorgio Maone August 8th, [...]
August 8th, 2007 at 6:28 pm
This is yet another reason I always surf with javascript disabled. Allowing pages to run full fledged programs at a whim, in one's browser, is a hugely stupid security risk, IMO. At LEAST require a "click to activate" warning page...
August 8th, 2007 at 6:38 pm
The trick doesn't work with lynx...
August 8th, 2007 at 6:44 pm
Hmmm.
I noticed the following in the Java Console....
Java Plug-in 1.6.0_01
Using JRE version 1.6.0_01 Java HotSpot(TM) Client VM
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to
----------------------------------------------------
java.security.AccessControlException: access denied (java.awt.AWTPermission setWindowAlwaysOnTop)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.awt.Window.setAlwaysOnTop(Unknown Source)
at FullScreen.start(FullScreen.java:30)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Apparently - even though there's a security setting that should prevent the always on top call - it's not actually being enforced. Whoops.
August 8th, 2007 at 7:07 pm
Pure Java?, Pure Evil? Popups
[...][...]
August 8th, 2007 at 7:14 pm
Interesting applet. However, when it goes full screen, my taskbar (Debian/Etch/KDE/Iceweasel) is still on top of the applet and I can drag the applet from one virtual desktop to another with it. Oh, and Alt-Left mouse button can still drag it around on the screen too. I suppose it could be a problem if you're not paying attention.
BTW, I just noticed an error on the Iceweasel's status line:
"error: Java.lang.NoSuchMethodError: java.awt.Window.setAlwaysOnTop(Z)V."
August 8th, 2007 at 7:37 pm
@Porter & astfgl:
both issues fixed, thanks.
August 8th, 2007 at 7:57 pm
Java S U C K S
http://www.javasucks.com.ar and flash to http://www.flashsucks.com.ar
August 8th, 2007 at 8:09 pm
Corporate executives especially in marketing are foaming at the mouth of this one, force you to watch their advertisement. I work at a off-site location and they set your browser where you cannot adjust the security settings and you are required to use IE. The security settings are set to "lax". The corporate mgt basically tell you that Internet is a privilege and you are told that if you block pop-ups, you are considered a thief and it is not tolerated. You are not allowed to close the pop-up until you leave the site.
August 8th, 2007 at 9:13 pm
[...] blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole [...]
August 8th, 2007 at 10:40 pm
sorry i quite dont get the point of this.
who on heavens earth is surfing with active java?
i guess only the ppl who klick on attachments like "paris_hilton_nude.JPG.exe"
August 8th, 2007 at 11:15 pm
Does not work on IE 6.0.2800.1106 with Java and JavaScript Enabled.
Works perfectly on my Firefox 2.0.0.3 with Java and JavaScript Enabled tough.
August 8th, 2007 at 11:18 pm
I think I'll go roll up into a foetal position on my bed now.
And here I thought my 4 virtual desktops provided by Beryl would save me.
August 9th, 2007 at 1:07 am
Safari on OS X : jumps to full screen and all but i dont get any text to display. Quite scary anyway. nice catch
August 9th, 2007 at 1:08 am
wow really nice
i think thats some way to say that the web OS could be renamed phishing OS ;)
August 9th, 2007 at 1:44 am
The applet worked on Gentoo Linux / KDE-3.5.5 / Konqueror, JS didn't.
I think that on Linux and X the simplest solution is to Ctl-Alt-Fn to another console, login, kill -9 the offending process, then Ctl-Alt-Fn back to the desktop. I don't think it's possible for any GUI app to stop that.
August 9th, 2007 at 2:25 am
Of course, being the curious lad I am I immediately clicked the link to the test. It worked, and my entire 23 tabs of browser were hidden... forever? Determined not to shut down my browser I leapt into action - spamming the "preferences" hotkey at lightning speed with one hand while clicking furiously on where the "Enable Java" checkbox was.
The bug was no match for my click-fu and the black screen disappeared as soon as I cut off its evil power. Take that, random superbugs!
August 9th, 2007 at 3:52 am
Doesn't work on FF 2.0.6 on Win XP SP2. Windows bar still visible, easy to escape out of. Not impressed.
August 9th, 2007 at 4:01 am
This may be "no big deal" to some of you who are more technically adept at pressing keyboard shortcuts that are not generally known by the public. This could happen to your child, he'd be sitting there surfing sites and then suddenly he's staring at a full screen of Britney's behind and he doesn't see any way of closing the window... Worse is if were Lindsay's...
August 9th, 2007 at 5:54 am
Your script is not working with Seamonkey 1.1.2, why?
August 9th, 2007 at 5:59 am
Ok. I had not Java on my machine, sorry for my noob question :)
August 9th, 2007 at 6:22 am
Ctrl + F4 in Opera
August 9th, 2007 at 6:30 am
So where is this Evil popup ???
i'm using Avant brouwser (kind of onion holder for IE 6.x)
And I dont got any problems here with any links on this page (closing is no problem, nor do they do get in the way).
Apperently my own popups works better then the one posted here ? (or is it not here)
August 9th, 2007 at 6:44 am
[...] just been reading about the new Java popup exploit. It’s one of the “too much space” problems: applications are given the ability to [...]
August 9th, 2007 at 7:25 am
Always interesting to see how self-centered geeks can be, completely ignoring that there is a world out there with people that don't know each and every shortcut by heart, with ppl that can get easily tricked by some fake windows.
This problem is definitely a major issue and needs to get addressed as soon as possible.
August 9th, 2007 at 8:13 am
Evil fun with Java ;-)
btw, who said that there could not be that evil laughter when you are writing Java?
http://evil.hackademix.net/fullscreen/applet.html
...
August 9th, 2007 at 8:22 am
[...] Maone - the programmer behind a popular Firefox ad-blocking plug-in called No-Script - has revealed how to completely defeat normal pop-up blockers using the Java programming [...]
August 9th, 2007 at 9:21 am
Please publish the source... For purely educative purpose
August 9th, 2007 at 12:09 pm
[...] comienza la teatral (pero realista) descripción del problema que ha descubierto Giorgio Maone (creador de NoScript), que reside en una vulnerabilidad de Java y [...]
August 9th, 2007 at 12:33 pm
On Windows Vista with latest version of Firefox, both full screen windows can be minimized and Firefox works exactly as well as before, no blocking at all.
So I'll label this as a cool feature rather than as a security issue.
August 9th, 2007 at 12:43 pm
[...] there are a new wave of popups out there, according to hackademix.net; Imagine you’re a web advertiser. Imagine you can open a popup window from a web page defeating [...]
August 9th, 2007 at 2:31 pm
[...] hackademix.net » Pure Java™, Pure Evil™ Popups [...]
August 9th, 2007 at 4:19 pm
Another interesting extension for Firefox is "Controle de Scripts". With it, you can enable/disable certain scripts, like resizing windows, removing toolbar/buttons/etc, switching images and many more.
Works great with NoScript.
August 9th, 2007 at 4:57 pm
This has been discovered/reported a while back.. nice try
August 9th, 2007 at 5:20 pm
[...] hackademix.net [...]
August 9th, 2007 at 9:56 pm
[...] the article for additional information and also neat examples of the pop-ups in [...]
August 10th, 2007 at 12:19 am
Amazing how many people missed the point... nice to see that some people get it...
http://hackademix.net/2007/08/07/java-evil-popups#comment-46
Re-read the article if you think this is just about knowing how to close a window... (especially you, aaaa...comprehension is evidently not your strong suit...)
August 10th, 2007 at 12:49 am
wow I would love to learn how to make my own!
August 10th, 2007 at 2:22 am
Here are my steps to stopping the annoyance in WindowsXP Firefox 2.0.0.6:
The first demo, I used ctrl-F4 sequence. (kills firefox browser application)
The second demo, I hit the Window key (The one next to the Alt-key) to bring up the taskbar then right click on the firefox app (title task at the bottom) to select close option. (kills firefox browser application)...
Check your proxy logs and start hunting these folks down.
August 10th, 2007 at 2:56 am
[...] evil. Don’t believe me? Click Here. That’s some very scary shit. Thanks to the folks at Hackademix, via Slashdot, via Google Notebook Firefox extension. I’ve got lots of blog entry wannabes [...]
August 10th, 2007 at 2:58 am
I usually don't use IE, but tried IE7 in Vista to see your demo. As I use Firefox and No-Scripts it is not a problem for me, but scary that a malicious site could reduce an average user to killing their browser.
August 10th, 2007 at 4:47 am
[...] comienza el teatral/realista articulo del problema que ha descubierto Giorgio Maone (creador de NoScript), que reside en una vulnerabilidad de Java y [...]
August 10th, 2007 at 11:26 am
Use NoScript!!!!!
It's one of the best Firefox Plugin ;)
And made by G. Maone naturally :-)
PS: to block advertiser use also AdBlockPlus:
https://addons.mozilla.org/it/firefox/addon/722 = NoScript
https://addons.mozilla.org/it/firefox/addon/1865 = AdBlockPlus
Bye ;)
August 11th, 2007 at 12:15 am
[...] inspirado y traducido de Hackademix, encontrado vía Reddit. Explore posts in the same categories: Seguridad, Publicidad, Popup, IE, [...]
August 12th, 2007 at 5:38 am
[...] if for some reason you can’t click out of the popup to see the article here is the safe link. tags: popips, evil, 10 fucking days, java, [...]
August 13th, 2007 at 4:00 pm
Good point! This issue has also been discussed on JavaPosse podcast (episode 137)
August 14th, 2007 at 12:30 pm
Hi all, very good code!!!!! but I´m interesting to see the fullscreen.class code ? IS iT POSSIBLE?
view the code = fullscreen.class
Thanks you all....
August 14th, 2007 at 11:34 pm
[...] Evil Java Full-Screen PopUp [...]
August 22nd, 2007 at 6:32 am
[...] Byte Into IT - 22 Aug 2007 August 22nd, 2007 — byteintoit http://hackademix.net/2007/08/07/java-evil-popups [...]
August 25th, 2007 at 10:55 pm
[...] the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the [...]
September 1st, 2007 at 5:04 am
[...] http://hackademix.net/2007/08/07/java-evil-popups/ שתפו ותהנו:צלמיות אלו מקשרות לאתרי סימניות משותפות בהם קוראים יכולים לשתף ולגלות אתרים חדשים. [...]
September 6th, 2007 at 10:29 pm
[...] Pure Java?, Pure Evil? Popups - Nasty, very nasty little bug in Java. I’ve not seen this being abused in the wild yet, but I don’t think it’ll be long before it is. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
September 10th, 2007 at 3:16 pm
[...] hackademix.net Pure Java Full Screen Demo [...]
September 27th, 2007 at 2:39 pm
YAWN. this is nothing.
October 4th, 2007 at 7:31 am
[...] Java evil popups I demonstrated two months ago have been addressed by [...]
November 27th, 2007 at 7:01 am
[...] ההאקר הטוב hackademix.net מספר לקוראיו בהרחבה על באג בטיחות שמצא, רחמנא לצלן, בג’אווה: דמיין שאתה מפרסם ברשת… דמיין שביכולתך לפתוח חלון [...]
April 1st, 2008 at 7:11 am
Just hit the backspace key, or ctr+w to close that specific tab... done.
April 1st, 2008 at 10:41 am
@Danny:
You know, bugs get fixed, sooner or later...
July 25th, 2008 at 2:58 am
[...] covered by slashdot, but its important enough so I’m mentioning it here: Giorgio Maone is a security researcher that has found a way to create the ultimate evil pop™ up using [...]
June 10th, 2009 at 5:14 pm
[...] Validation Bypass Vulnerability (POC) Non-Alpha-Non-Digit 3 Steal History without JavaScript Pure Java™, Pure Evil™ Popups Google Adsense CSRF hole There’s an OAK TREE in my blog!?!?! BK for Mayor of Oak Tree View [...]
January 24th, 2010 at 9:32 am
[...] Validation Bypass Vulnerability 72.Non-Alpha-Non-Digit 3 73.Steal History without JavaScript 74.Pure Java??, Pure Evil?? Popups 75.Google Adsense CSRF hole 76.There’s an OAK TREE in my blog!?!?! 77.BK for Mayor of Oak Tree [...]