New URI bugs could steal user data

Security researchers warn that bugs in browser Uniform Resource Indicator handling could lead to hackers stealing user data.

New flaws in the way popular internet browser handle external applications could put users at risk of having personal information stolen from them, according to security researchers.

Billy Rios and Nathan McFeters discovered a flaw in the way that Uniform Resource Identifers (URI) could be used to steal data from users.

While a lot of problems surrounding the way browsers deal with malformed data have been fixed through security updates of late, the two researchers have unearthed a couple of more problems. According to them, their attention has turned to the way hackers could use normal features of external applications launched via a browser window. The two label the flaw "functionality-based exploitation".

While the two haven't divulged details of the flaw as they are working with the company whose flaw the software is in, the exploit could be used to steal data from a user's computer.

According to McFeters, the flaw meant that hackers could copy and upload data from a victim's computer to a remote server and it could all be done using just the functionality of the affected software.

The pair plan to reveal more details once the vendor has had a chance to fix the flaw. "We also leaked a little pre-release information about a new piece of URI Use and Abuse we are playing with," said the researchers. "This one allows us to steal data from a user's computer thru an XSS exposure and a URI abuse."

They lamented on their blog on how not revealing more details about the flaw has led to outcry within some sections of the security industry.

"Sometimes you can't win the disclosure game (as I'm sure other security researchers have encountered)," they said. "We've gone through vendor disclosure, third party disclosure, and full disclosure, and we've been criticised each and every time."

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021