The SANS ISC diary today is mentioning a javascript function present in today's browsers called onUnload(). What does it do? The browser will execute it when the user is leaving that page. Very interesting feature, isn't it? Well, not when you start looking with the eyes of security, as the post on the diary does. Those pop-up filled websites can prevent the user from leaving then just by executing a location=self.location when the onUnload is called. Incredibly simple and effective (at least for them). They can also pretend that the user is really leaving when it's actually not happening, giving room for a lot of phishing attacks.
Features and the security point of view
Features and the security point of view
Features and the security point of view
The SANS ISC diary today is mentioning a javascript function present in today's browsers called onUnload(). What does it do? The browser will execute it when the user is leaving that page. Very interesting feature, isn't it? Well, not when you start looking with the eyes of security, as the post on the diary does. Those pop-up filled websites can prevent the user from leaving then just by executing a location=self.location when the onUnload is called. Incredibly simple and effective (at least for them). They can also pretend that the user is really leaving when it's actually not happening, giving room for a lot of phishing attacks.