Hacker News new | past | comments | ask | show | jobs | submit login

How does it help? Can't the attacker make a query to Google for the user image and display it on the phishing page?



No. There is no email-to-profile-pic mapping endpoint for unauthenticated users, to my knowledge.


I've seen targeted gmail phishing emails, within the last week, that contain the correct email picture.

They are getting images from somewhere...so...no, this isn't a security feature.


Then how does the image consistently display before the password has been provided? No matter what the answer is, I don't see how it could be an anti-phishing feature.


Because the image location is stored in a cookie from before the attack and this cookie will not be sent by a browser to a phishing site.

Try from the incognito windows in your browser the image should not show up since no cookies are being sent in the incognito window.


I use fresh incognito tabs constantly. So I guess I'll never see the image, and never know something is amiss.

By I also never click an email link to login unless it's a plain text password reset. I receive authentic looking and topical Dropbox share requests from actual contacts (who have been hacked) trying to phish my Dropbox credentials maybe 4-5 times a year so I'm always on the lookout for it. This is a classic attack. Always check the URL!


Google naturally has their own private APIs which will only show the profile image for legitimate logins.


And no phisher has ever copied anything from the original site before.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: