File action dialog tampering

ID MFSA2008-08
Type mozilla
Reporter Mozilla Foundation
Modified 2008-02-07T00:00:00


Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right before a user clicked in a predictable time and place.