A Photo That Can Steal Your Online Credentials
IDG News Service (08/01/08) McMillan, Robert

Researchers at the Black Hat computer security conference in Las Vegas next week will demonstrate an attack that could steal online credentials from users of popular Web sites. The attack uses a new type of hybrid software file the researchers have dubbed a GIFAR. By placing the file on Web sites that allow users to upload images, the researchers can circumvent security precautions and take over the Web page users’ accounts.

GS Software’s John Heasman says the GIFAR is a Java applet in the form of an image. GIFAR is a contraction of the graphics interchange format (GIF) and Java Archive (JAR), the two file types that make up the applet. The researchers will demonstrate how to create the GIFAR, while omitting a few details to prevent it from being used for a widespread attack. To a Web server, the file looks exactly like a GIF file, but a browser’s Java virtual machine will open the file like a JAR file and run it as an applet, giving the attacker an opportunity to run Java code on the victim’s browser, which treats the applet as though it was written by the Web site’s developers.

The researchers say the attack could work on any site that allows users to upload files, possibly even sites that are used to upload banking card photos or sites such as Amazon.com. The GIFAR attack can be prevented by improving filtering tools so Web sites can detect the hybrid files, and Sun could also improve the Java runtime environment.