hackademix.net

LiveConnect FullScreen Demo

OK, this is evil.

The wet dream of any phisher or web advertiser.

A full screen window which can't be stopped by popup blockers and very difficult to close.

If Java and JavaScript are enabled, it works in Opera and in Gecko-based browsers (Firefox, SeaMonkey, Netscape, Flock...), thanks to LiveConnect.

To close this full screen ugliness you can use my Close LiveConnect Windows Bookmarklet.

To prevent malicious sites from doing this, you need to disable Java globally or (smarter) use NoScript to selectively enable it on trusted sites only.

Even uglier than this is the Pure Java version, which doesn't need JavaScript and works in any browser.

Responsible Disclosure Disclaimer:

This vulnerability has been responsibly reported to Vendor (Sun Microsystem) on 29-JUL-2007.
Made public by Vendor as RFE 6589527 on 06-AUG-2007.
Disclosed on the hackademix.net blog on 07-AUG-2007.
Reclassified and hidden by Vendor on 07-AUG-2007, after the hackademix.net blog post had already gone public and couldn't be retracted.