Communicator bug may let Webmasters track site visitors

A newly discovered bug in Netscape Communications Corp.'s Communicator software may enable malicious Webmasters to track the activities of site visitors. US grduate student says several JavaScript flaws allow a hacker to grab data input by Communicator users, including passwords and credit card numbers. The exploit is similar to previously reported hacks, which involve popping up a second, tiny Web browser that silently sends information back to the attacker's host computer.

A newly discovered bug in Netscape Communications Corp.'s Communicator software may enable malicious Webmasters to track the activities of site visitors.

Andre Dos Santos, a graduate student in the Reliable Software Group at the University of California at Santa Barbara, says he discovered several JavaScript flaws in Communicator versions 4.01a and 4.02, which is the most recent version.

According to Dos Santos, the bugs allow a hacker to grab data that's input by Communicator users, including passwords and credit card numbers. The exploit is similar to previously reported hacks, which involve popping up a second, tiny Web browser that silently sends information back to the attacker's host computer.

Netscape security group leader Taher Elgamal has confirmed that the bug exists, adding that Dos Santos notified the company about it late last week. Elgamal said Netscape is still trying to identify where the flaw lies in the Communicator code and hopes to have details within a day or two.

This is not the first time Dos Santos has reported browser bugs to Netscape. Last March he pointed out Java flaws in Navigator version 3.01 and in Microsoft's Internet Explorer, bugs that were fixed in later versions of those browsers.

Dos Santos says he discovered the bugs in testing a digital library system that's part of his graduate research. Although his latest discovery may earn him $1,000 through Netscape's $1,000 Bug Bounty program, Dos Santos says he's not in it for the money - he's doing it for the sake of future Web users.

Dos Santos has posted information about his various browser-bug discoveries at his Web site (http://www.cs.ucsb.edu/~andre/).

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]