Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?
-
https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri
summary:
- You get sent a gmail with a familiar looking attachment (probably because someone you know has been compromised)
- You click on attachment to see preview
- New tab opens to what looks like signin page
- You sign in and are fucked
WHY? Because the URL is actually
data:text/html,https://acounts.google.com/ServiceLogin?server=mail <script>FuckOverWithFakeLoginPage()</script>
And gee, because everyone's address bar is so short because it's A Big Scary Thing That Keeps You From Grumpy Cat, you don't see the <script> part.
And because people are used to the address bar randomly dropping information anyways (protocol why show that? www why show that? SCARY!!!!), people aren't aware when the URL doesn't look right.
Fuck you, browser makers.
-
@Lorne-Kates Doesn't Firefox block entered
data:
URIs by default?
-
@RaceProUK I don't know what his FF22 does, but the current version doesn't.
-
@anotherusername said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@RaceProUK I don't know what his FF22 does, but the current version doesn't.
Not even the FUTURE version does.
The one that shows you a warning when selecting a password field on a non-HTTPS site.
-
@anotherusername said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@RaceProUK I don't know what his FF22 does, but the current version doesn't.
FF22 doesn't.
-
Chrome latest:
-
@Lorne-Kates said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Chrome latest:
Interesting. Is there any legitimate use case for this functionality beyond parlor tricks?
-
@aliceif said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
shows you a warning when selecting a password field on a non-HTTPS site.
I'd assume, then, that it'll display that warning if you select a password field on a page loaded by a
data:
URL?Even so, phishing attacks can still be successful. They just have to host the page on an HTTPS server. ...wasn't there a phishing attack not that long ago which used a fake login page that was hosted on Google docs to steal your Google account password? It'd be really difficult to catch that...
-
@Groaner said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Interesting. Is there any legitimate use case for this functionality beyond parlor tricks?
For people who don't know how to use Greasemonkey?
-
I'm a dum:
-
@RaceProUK said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@Lorne-Kates Doesn't Firefox block entered
data:
URIs by default?
-
@Lorne-Kates said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
And gee, because everyone's address bar is so short because it's A Big Scary Thing That Keeps You From Grumpy Cat, you don't see the <script> part.
- If they can just fucking add 500 whitespace characters to the right, making the URL bar slightly longer won't matter
- The URL bar in Chrome is still taking the entire screen
- What users are trained to look for is, in that order:
- The green padlock on the left
- Any padlock on the left
- The "https" prefix and the domain name that all browsers helpfully highlight for you .
Now let's look at that URL bar:
No padlock, no domain, and a very weird thing at the beginning. Not sure what else you'd want.If anything, they should hide MORE part of the URL since the domain is all that matters for security purposes.
Not that any of it really matters. The domain name could be iamgoingtostealyourpassword.ru, and only slightly fewer people would fall for it.
-
@anonymous234 said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
- What users are trained to look for is, in that order:
-
@RaceProUK I believe in this scenario, you are the smar.
Filed Under: Or at least the secur
-
@RaceProUK "noscript"
-
technology is hard...
So, basically color the (i) yellow...
-
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
-
@Lorne-Kates said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
And gee, because everyone's address bar is so short because it's A Big Scary Thing That Keeps You From Grumpy Cat, you don't see the <script> part.
How would a longer address bar protect you from the attacker simply shoving more whitespace before the script part?
-
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
You have too much faith in humanity
-
@Maciejasjmj said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@Lorne-Kates said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
And gee, because everyone's address bar is so short because it's A Big Scary Thing That Keeps You From Grumpy Cat, you don't see the <script> part.
How would a longer address bar protect you from the attacker simply shoving more whitespace before the script part?
Bug: Doesn't open in a new window....
-
Seems Chrome won't allow that:
Though it might be because JS is disabled by default, and I whitelist sites I actually use.
@PJH said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Bug: Doesn't open in a new window....
I found that too.
-
@RaceProUK said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Though it might be because JS is disabled by default, and I whitelist sites I actually use.
Duh, yeah, if you disable JS then JS doesn't run.
@PJH said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Bug: Doesn't open in a new window....
NodeBB seems to strip "target='_blank'", WONTFIX BYDESIGN.
I guess you could write some JS in that script to make it a popup, but WONTFIX WORKREQUIRED.
-
-
@xaade I want to do that but with ransomware.
But you have to actually take their files away for a while, or hack their account and buy a dildo on Amazon, or do something that actually scares them a bit. Otherwise they won't care. Ever. At all.
-
I've tried it with GMail, but it's stripping the link out. I tried copy pasting the link, and adding a link with their editor.
-
@Lorne-Kates i love welsh people too!
-
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
I don't have as much faith in people as you. They're not interested in the implementation of all the fancy technology, they just want to get their stuff done, whatever that stuff is. They don't care, they won't read anything, they'll just hit OK and think "Well, didn't get hacked yet, we're all good!".
-
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
You'd probably get sued for hacking and lose the court case.
-
@PleegWat said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
You'd probably get sued for hacking and lose the court case.
Doubtful.
We prove it's just a textbox that doesn't go anywhere or do anything.
-
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
We prove it's just a textbox that doesn't go anywhere or do anything.
The judicial system being well-known for technical competence.
-
@heterodox said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
We prove it's just a textbox that doesn't go anywhere or do anything.
The judicial system being well-known for technical competence.
"These guys successfully made a 'web site' using 'technology' to steal private information from unsuspecting consumers! Apparently, the methods they used involved 'programming' or something, so I propose we make it illegal to write a program."
-
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
My understanding is that some large organizations already do this internally.
-
@Maciejasjmj said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@Lorne-Kates said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
And gee, because everyone's address bar is so short because it's A Big Scary Thing That Keeps You From Grumpy Cat, you don't see the <script> part.
How would a longer address bar protect you from the attacker simply shoving more whitespace before the script part?
Heh, check that out...
-
@Maciejasjmj said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
That URL fits perfectly at the bottom of my Firefox window. It's like you correctly guess my window geometry. â :conspiracy_theorist:
Edit: Firefox ellipsizes long URLs so they fit in the window. Never mind. â :whistle:
-
@anonymous234 said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@xaade I want to do that but with ransomware.
But you have to actually take their files away for a while, or hack their account and buy a dildo on Amazon, or do something that actually scares them a bit. Otherwise they won't care. Ever. At all.
-
@aliceif Nice.
Epic.
I like it.
-
@Groaner said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
My understanding is that some large organizations already do this internally.
At my workplace, if you report one of their own phishing emails without clicking the link or whatever you get a certificate.
-
Training people to ignore certain information is one thing. Training them that actual legit emails have the same things you're meant to be suspicious of in phishing emails is much worse.
I had an email from Spotify telling me I should change my password. It:
- didn't include my name, just "Hi Spotify user"
- had a link to the "Change password" link, not instructions to do it myself
THIS IS THE KIND OF THING WE TELL USERS NOT TO BELIEVE!
-
@Jaloopa said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Spotify
Same company that allowed some twat to register an account using my email address, because apparently, sending an activation link is too hard. I'm not surprised.
-
@Groaner we do that. the results are always disheartening.
-
@darkmatter why are you replying to @CarrieVS but mentioning @Groaner?
-
@CarrieVS said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
At my workplace, if you report one of their own phishing emails without clicking the link or whatever you get a certificate.
We've had so many
lusers fall for phishing emails that now we have a new policy:
If you click on a link in a phishing email, we remove your access to email and you have to successfully pass our course on phishing before getting your access back.I'm still not sure they will be more careful after that.
-
@TimeBandit I don't know what happens here if you fall for it. I don't know anyone who's admitted doing so.
-
@CarrieVS said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@TimeBandit I don't know anyone who's admitted doing so.
We catch them in the firewall log.
-
@TimeBandit I'm sure we do as well but it's not me that does the catching. I guess I can say that either no-one's fallen for it yet in my office or they aren't publicly named and shamed, with my guess being that the latter is more likely.
-
@Groaner said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
My understanding is that some large organizations already do this internally.
Not so large too. (I think we're around 300)
-
@Maciejasjmj said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
Like this?
wow good thing all the browser makers have decided to get rid of the status bar or shorten it oh wait statusbar4evar
-
@PleegWat said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
@xaade said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
How about we startup a site that sends out phishing attempts, but doesn't actually store the user's information, but instead opens a popup that tells them that they COULD have been just hacked, and then go to a page that explains what just happened.
You'd probably get sued for hacking and lose the court case.
You should be fine as long as the popup is on the first keystroke and not on submit.
-
@TimeBandit @CarrieVS I'd expect them to just embed the email address in the link and log who and when every time it's visited. Seems simpler than fishing through firewall logs to get a list of people who accessed it.
They could get more/better info that way, anyway, because in addition to knowing that they clicked the link (which would be logged server-side when the link is requested), they could also include a script on the page that registers whether it's able to run successfully. And if they wanted to go that far, they could even provide a fake login screen to see if the user would enter their credentials.
-
@anotherusername said in Let's make the URL bar super-short and teach people to ignore it, what could possibly go wrong?:
I'd expect them to just embed the email address in the link and log who and when every time it's visited. Seems simpler than fishing through firewall logs to get a list of people who accessed it.
If you create the phishing emails, yeah. But I'm talking about real phishing emails.