Powered by Olark
About Me Blog Films Other Awesome Work

“Race Conditions” in security dialogs

July 4, 2010 – 1:26 pm | 2 Comments

I don't know why it's called a "race" dialog but it is.

Ever wonder why you have to wait three seconds to install a Firefox add-on? I’ve always thought the delay was to make sure that I read the security box. Turns out it’s more inspired than that: a hack can be created that preys on human reaction time to get them to push the button. Imagine a website that asks you to type the word “only.” When you type the “n” it tries to install the add-on, and when you type the “y” you accept the add-on’s installation in the Firefox dialog. Nefarious…

Another example and a demo of this attack at Jesse Ruderman’s blog.

  • Facebook
  • Twitter
  • Google Reader
  • email
  Tags:

2 Comments

  1. Colin
    Posted July 5, 2010 at 1:06 am | Permalink

    It’s called a “race condition” because the outcome is timing dependent – whether the attacker “wins the race” to get its code run at the right time.

  2. Mike
    Posted July 5, 2010 at 8:18 am | Permalink

    Ah, thanks Colin. That makes sense..

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*