"Race Conditions" in security dialogs

I don't know why it's called a "race" dialog but it is.

Ever wonder why you have to wait three seconds to install a Firefox add-on? I’ve always thought the delay was to make sure that I read the security box. Turns out it’s more inspired than that: a hack can be created that preys on human reaction time to get them to push the button. Imagine a website that asks you to type the word “only.” When you type the “n” it tries to install the add-on, and when you type the “y” you accept the add-on’s installation in the Firefox dialog. Nefarious…

Another example and a demo of this attack at Jesse Ruderman’s blog.

Comments

comments

2 Comments to “"Race Conditions" in security dialogs”

  1. Colin 5 July 2010 at 1:06 am #

    It’s called a “race condition” because the outcome is timing dependent – whether the attacker “wins the race” to get its code run at the right time.

  2. Mike 5 July 2010 at 8:18 am #

    Ah, thanks Colin. That makes sense..


Leave a Reply