Security researchers presenting information at next week's Black Hat
convention are expected to demonstrate a particularly nasty method for stealing online credentials from users on any number of websites that allow users to upload their own pictures. The exploit will work by displaying what looks like a .gif picture, but contains a Java applet that can be triggered to run after the fact in the victim's browser. They call the file a GIFAR. The bad guys would create a profile on one of these popular Web sites -- Facebook for example -- and upload their GIFAR as an image on the site. Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim's Facebook account.
The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com, they say.
Because GIFARs are opened by Java, they can be opened in many types of browsers.
There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. "The attack is going to work best wherever you leave yourself logged in for long periods of time," Heasman said.
Lots of users stay logged onto social sites that could display GIFARs almost continuously, so the risk of this exploit hitting paydirt if it gets out in the wild are pretty high. Either Sun will have to come up with an improvement in their runtime environment, or browser security will have to be beefed up. The third option is we all just change our online passwords to "password" and let the thieves take what they like.