Ever wonder why you have to wait three seconds to install a Firefox add-on? I’ve always thought the delay was to make sure that I read the security box. Turns out it’s more inspired than that: a hack can be created that preys on human reaction time to get them to push the button. Imagine a website that asks you to type the word “only.” When you type the “n” it tries to install the add-on, and when you type the “y” you accept the add-on’s installation in the Firefox dialog. Nefarious…
Another example and a demo of this attack at Jesse Ruderman’s blog.
2 responses to “”Race Conditions” in security dialogs”
It’s called a “race condition” because the outcome is timing dependent – whether the attacker “wins the race” to get its code run at the right time.
Ah, thanks Colin. That makes sense..