The Internet Is Broken
At next week's Black Hat computer secruity conference, in a talk titled "The Internet is Broken", presenters are going to explain how someone could steal your online credentials with a photo. It's not just any photo though, but rather a combination of a GIF and JAR file, dubbed GIFAR. The presenters will leave out a few key details to hopefully prevent an attack anytime soon, but it's basically a file that looks like a GIF file, yet will open up as a Java Archive file in a browser's Java virtual machine. The browser simply thinks this is a Java file written by the web site's developers. Why does this have the potential to be a huge problem? Because several sites these days allow users to upload photos; not just image sites like Photobucket, but social networking sites like Facebook, or even auction sites like eBay, the latter of which may grant the attackers access to stored credit card information. The presenters will propose some methods to protect users, and researchers expect Sun to release a patch to its Java virtual machine soon after the conference. In the long run, however, the researchers state that it will be up to the browser makers to make "fundamental changes to their software too."