Abusing LiveConnect for fun and profit
The slides are available in PDF format too.
While it’s a very cool tech demo, it’s IMHO also a very bad security issue which browser vendors and Oracle need to have a look at. The user sees nothing but a dialog like this:
and once they click OK, they are completely owned.
Even worse, while this dialog is showing the case of a valid certificate, the dialog in case of an invalid (self-signed or expired) certificate isn’t much different, so users can easily tricked into clicking allow.
By now though, I’m really concerned about putting an end to this, or at least increasing the hurdle the end-user has to jump through before this goes off - maybe force them to click a visible Applet. Or just remove the LiveConnect feature all together from browsers, thus forcing applets to be visible.
But aside of the security issues, I still think that this is a very interesting case of long forgotten technology. If you are interested, do have a look at the talk and travel back in time to when stuff like this was only half as scary as it is now.
blog comments powered by Disqus