Imagine you're a web advertiser.

Imagine you can open a popup window from a web page defeating any popup blocker.

Imagine this popup can invade the whole desktop, full screen.

Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.

Imagine user can't move or minimize this popup. It will go away only when the browser is killed or your show is done...

Now imagine you're a phisher.

Imagine you can use this almighty popup to draw anything you want. A fake browser or -- why not? -- a whole fake desktop to collect user's data.

Impossible wet dreams of clueless evildoers?

No, it's just 100% Pure Java™ Reality.



If you're using Opera or a Gecko-based browser, a similar full screen evil can be performed with just a few JavaScript lines. No need to compile and host any applet, thanks to the LiveConnect technology.

I've notified Sun on 29-Jul-2007.

My bug report has been evaluated and publicly disclosed by Sun yesterday (06-Aug-2007) as a request for enhancement.

Looks like responsibly filing a bug in the Sun's bug tracker, religiously waiting one week for its classification by Sun engineers and having it finally published by Sun itself as a non-security-related RFE is not enough to go public. I should have known that security reports should be submitted to security-alert at sun dot com to be properly handled. When Maarten Van Horenbeeck (SANS ISC) did it, Sun requested him to request me "to keep the issue confidential, and hold the blog post, till Sun has completely fixed it and is ready to issue a Sun Alert to warn users". At that time, my post had been already out for some hours, read and commented by many "hackers" supporting full disclosure. Therefore, I respectfully answered (directly to security-alert at sun dot com, with SANS in CC) explaining why retracting it would have been useless, but apologized for my mishandled report and offered any other help, including my promise to use security-alert at sun dot com instead of the regular bug tracker for future responsible disclosures. I received no answer yet, but in the meanwhile my bug report has been reclassified and made inaccessible. I still wonder why should I have known better than a Sun Bug Tracker employee what the proper channel for a security report was...

Will this take more or less than ten days to be fixed?

In the meanwhile, NoScript is your friend ;)

Update (Oct-22-2007)

Issue fixed. Thanks, Sun.

Demos

Credits

Many thanks to:

Ronald van den Heetkamp for early inspiration

Dan Veditz (Mozilla)

timeless