A new way to steal your online credentials

This week in Las Vegas, researchers at a computer security conference will unveil a new type of Web site file that lets users upload their own images and in the process allow intruders to circumvent security systems and take over a Web surfers' accounts.

"We've been able to come up with a Java applet that for all intents and purposes is an image," John Heasman, vice president of research at NGS Software. told Infoworld.com. He said the file looks exactly like a .gif file to the Web server. But a browser's Java virtual machine will open it as a Java Archive file and then run it as an applet, giving the attacker an opportunity to run Java code in the victim's browser.

The browser treats the malicious applet as though the Web site's developers wrote it. The attack could work on any site that allows users to upload files like Facebook, or possibly Web sites that are used to upload banking card photos. There are ways to deter this threat, and ultimately, say the researchers, browser makers will have to make some fundamental changes to their software.

For more:
- see this InfoWorld article