New URI bugs could steal user data

gallery

New flaws in the way popular internet browser handle external applications could put users at risk of having personal information stolen from them, according to security researchers.

Billy Rios and Nathan McFeters discovered a flaw in the way that Uniform Resource Identifers (URI) could be used to steal data from users.

While a lot of problems surrounding the way browsers deal with malformed data have been fixed through security updates of late, the two researchers have unearthed a couple of more problems. According to them, their attention has turned to the way hackers could use normal features of external applications launched via a browser window. The two label the flaw "functionality-based exploitation".

While the two haven't divulged details of the flaw as they are working with the company whose flaw the software is in, the exploit could be used to steal data from a user's computer.

According to McFeters, the flaw meant that hackers could copy and upload data from a victim's computer to a remote server and it could all be done using just the functionality of the affected software.

The pair plan to reveal more details once the vendor has had a chance to fix the flaw. "We also leaked a little pre-release information about a new piece of URI Use and Abuse we are playing with," said the researchers. "This one allows us to steal data from a user's computer thru an XSS exposure and a URI abuse."

They lamented on their blog on how not revealing more details about the flaw has led to outcry within some sections of the security industry.

"Sometimes you can't win the disclosure game (as I'm sure other security researchers have encountered)," they said. "We've gone through vendor disclosure, third party disclosure, and full disclosure, and we've been criticised each and every time."

Email to a friend

Print this page