"Race Conditions" in security dialogs

"Race Conditions" in security dialogs

Ever wonder why you have to wait three seconds to install a Firefox add-on? I’ve always thought the delay was to make sure that I read the security box. Turns out it’s more inspired than that: a hack can be created that preys on human reaction time to get them to push the button. Imagine a website that asks you to type the word “only.” When you type the “n” it tries to install the add-on, and when you type the “y” you accept the add-on’s installation in the Firefox dialog. Nefarious…

Another example and a demo of this attack at Jesse Ruderman’s blog.