Paper 2002/010

Cut and Paste Attacks with Java

Serge Lefranc and David Naccache

Abstract

This paper describes malicious applets that use Java's sophisticated graphic features to rectify the browser's padlock area and cover the address bar with a false https domain name. The attack was successfully tested on Netscape's Navigator and Microsoft's Internet Explorer; we consequently recommend to neutralize Java whenever funds or private data transit via these browsers and patch the flaw in the coming releases. The degree of novelty of our attack is unclear since similar (yet non-identical) results can be achieved by spoofing as described by Felten; however our scenario is much simpler to mount as it only demands the inclusion of an applet in the attacker's web page. In any case, we believe that the technical dissection of our malicious Java code has an illustrative value in itself.

Metadata
Available format(s)
PS
Category
Applications
Publication info
Published elsewhere. Unknown where it was published
Keywords
Java screen Navigator
Contact author(s)
david naccache @ gemplus com
History
2002-01-28: last of 3 revisions
2002-01-25: received
See all versions
Short URL
https://ia.cr/2002/010
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/010,
      author = {Serge Lefranc and David Naccache},
      title = {Cut and Paste Attacks with Java},
      howpublished = {Cryptology {ePrint} Archive, Paper 2002/010},
      year = {2002},
      url = {https://eprint.iacr.org/2002/010}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.