Information in this Chapter
Imagine standing at the edge of a field, prepared to sprint across it. Now, imagine your hesitation knowing the field, peppered with wildflowers under a clear, blue sky, is also strewn with hidden mines. The consequences of a misstep would be dire and gruesome. Browsing the Web carries a metaphorical similarity that, while obviously not hazardous to life and limb, still poses a threat to the security of your personal information.
How often do you forward a copy of all your incoming e-mails, including password resets and private documents, to a stranger? In September 2007, a security researcher demonstrated that the filter list for a Gmail account could be surreptitiously changed by an attacker (www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). All the victim had to do was be logged into the Gmail account and, in some other browser tab or window at some other point in time, visit a booby-trapped Web page. The user didn't need to be tricked into revealing a password; neither the trapped Web page nor Gmail needed a cross-site scripting vulnerability to be present. All that was necessary for the victim was to visit the attacker's page.
Have an online brokerage account? Perhaps at lunch time you logged in to check some current stock prices. Then you read a blog or viewed the latest 30-second video, making the viral rounds of e-mail. On one of those sites your browser might have tried to load an image tag that, instead of showing a goofy picture or a skateboarding trick gone wrong, used your brokerage account to purchase a few thousand shares of a penny stock. A costly, embarrassing event, but at least one shared with many other victims of the same scam. Somewhere, a well-positioned trader, having sown the attacker, watches the penny stock rise and rise. Once the price reaches a nice profit point, the trader sells. All the victims, realizing that a trade has been made in their account, from their browser, from their IP address, have little recourse other than to dump the stock. The trader, waiting for this event, shorts the stock and makes more money as the artificially inflated price drops to its previous value.
Use a site that provides one-click shopping? With luck, your browser won't hit a virtual mine, the ubiquitous image tag, that purchases and ships a handful of DVDs to someone you've never met.
None of these attacks requires anything more than the victim to be authenticated to a Web site and in the course of browsing other sites come across nothing more dangerous than a single image tag placed with apparent carelessness in a Web page. After visiting dozens of sites, loading hundreds of lines of Hypertext Markup Language (HTML), do you really know what your browser is doing?