Very few people would notice the slight differences between the two.
My browser always shows the URL scheme, and my UI looks nothing like that, so I guess this is another point in favour of people customising their UI and a point against browsers letting websites modify the appearance of things like scrollbars and form controls, or --- and I really don't understand why no one thought this was a really bad idea to even implement at all --- allowing popups with no browser controls.
I don't think this is such a novel idea either --- remember the fake "your computer is infected click here" popups that tried to look like the OS's? I've always used something other than the defaults for UI appearance, so besides the more obvious clues like having browser controls, they really looked off with things like their different titlebar colour and font.
You might notice it, but according to this, most people wouldn't:
>“It’s a picture of an IE7 browser running on Windows Vista in the transparent Aero Glass theme with a page containing a JPEG of an IE7 browser running on Windows XP in the Luna aka Fisher Price theme?” I pointed out.
Most people probably also have no adblocker, so are being subjected to visual overload all the time they're browsing. I could definitely see that causing them to stop noticing things, if they're already spending a lot of (possibly unconscious) effort filtering out all the ads and other distractions on a page.
It's not a pop-up, it's a browser simulated with DOM elements inside the page. The attack bets that you don't notice that it's not actually a new operating system window and instead is just a part of the page you're on. The author includes default "skins" for both windows and macOS.
The people I've seen this target mostly use Chrome and aren't extremely tech literate - they'll hover the sign-in link, would see a real Steam or Microsoft URL and a very convincing fake popup. You really only notice if you try to move them out of the window, if you're not paying a lot of attention.
This is one of the primary methods Discord scammers phish for accounts nowadays, and it still seems to be extremely effective.
Wow - after 20 years of phishing variants, I've finally seen one that I'd 100% fall for. The rise of pop-up auth dialogs is something I've kinda just taken for granted as more and more platform-native apps make use of them - I wouldn't even blink if it happened to me in a browser window (until now).
I think the only defense you could possibly have is to drag popups "outside" the main browser window. I run into this problem dealing with remote desktop windows and WU update dialogs (ok, so which machine is requesting a reboot now?). (I should theme my machines slightly differently to solve this problem).
The sad thing is that even with a real popup the only defense you have is the URI, and most of the time its incomprehensible tech-speak so realistically speaking normal everyday users don't stand a chance.
The only defense I have against this attack is that pop-ups annoy me and I always copy and paste the URL into my main browser window to login every time just out of spite.
Yes, as long as HotDogL doesn't leak the OS variant via the User-Agent string, JavaScript fingerprinting, or TCP fingerprinting. I believe CloudFlare has already developed and explored all of these paths, obviously to great effect. This means replication of what CF has done is only a matter of pouring resources into it, surely many others have also completed bits and pieces or maybe even superior top-secret proprietary technology.
What's that Ultra-privacy oriented Linux distro which is TOR-centric, with a locked-down-by-default browser config? That beast might be your best bet.
> What's that Ultra-privacy oriented Linux distro which is TOR-centric, with a locked-down-by-default browser config? That beast might be your best bet.
QubesOS never allows true full screen mode to prevent spoofing attacks, the titlebar and taskbar are always visible. It also forces all windows to display a colored border, the color represents the application's security domain. A window in an untrusted VM cannot pretend to be a trusted VM window. A spoofed browser screen won't show the correct titlebar and (user-defined) color.
But what makes this attack frightening is that even such kind of extreme measures only provide limited protections. Spoofing is still possible, you can bet on the default theme with a red border - this is the default for untrusted, disposable VM. I'd say I would totally fall for this.
The only thing that makes it somewhat safe is the impossibility to detect QubesOS reliably. Some heuristics exist: you can detect CPU cores, a low number indicates a potential VM. You can also detect the GPU model, a LLVM software renderer or disabled WebGL is a strong indication of VM or Tor Browser. But none is reliable.
It's actually not about the browser config, its all about the graphics - this reminds me in firefox you could customize the UI easily with an overlay image.
That would defeat this attack, assuming it was random/undetectable. Maybe time to go the other way and never lock down the config...
Or just disable anything resembling a box in the browser, make html strictly hyper text media again, no programming or js.
I love this idea, wish this was a standard feature implemented in many of my applications and operating systems.
Also.. setting a custom UI background image sounds like browser configuration to me :p
Seriously though, the difference with and genius in your idea is essentially applying the "Send my bank a custom secret they then present to me so I know if I'm really speaking with them", except with new twists in:
1. Know if a window belongs to my FF client / OS / whatever needs securing.
2. The absence of further concerns about what OS details get inevitably leaked, at least for protecting against this one class of threat.
I fell for that attack 2 years ago, when I had a separate Windows installation just for gaming. It was rarely used, so I didn't have a reason to customize it, and I only needed 2 or 3 password there, so I was too lazy to install my password manager (plus I feared it can get compromised in case of malicious mods, RCE bugs in games etc.). I also wasn't surprised that I was logged out, as I didn't remember where I was logged in and where I did not. I'm glad that Steam has working forms to lock an account, and that the attacker wasn't fast enough in changing email address.
I wish the browsers would just open everything in new tabs.
Fear not, among the millions of flags firefox exposes in about:config there is browser.link.open_newwindow.restriction that does exactly what you are looking for! Make sure to set it to 0.
This is a super common phishing attack on Steam, people send you links that eventually lead to a "Sign in with Steam" button, which opens up one of these fake popups with a perfectly styled login page. Almost got me the first time...
I have came across this attack once. What happened was when I opened a webpage (torrent listing page),I don’t remember which one it opened a popup and they made it fullscreen, and it was saying that I had visited some bad webpage and govt has found it and I should pay some amount (~300 USD) to get my computer unlocked, I checked the domain and it was the gov domain. And it was asking me my credit card details. I felt something is wrong and pressed the esc button and chrome minimised the screen. Then I saw 2 title bars, I have inspected the webpage and found that they are drawing custom title bars. A lot of people would have fallen for this.
These sorts of 'exploits' take advantage of the site-agnostic nature of passwords. Using a password manager may be able to mitigate this.
For this particular attack, a fun 'solution' may be to incorporate some sort of AI-based detection system to warn the user if anything resembling a browser is shown on the site.
Right, notice that WebAuthn is completely immune to this attack like other phishing attacks, and the "consumer education" is mostly unlearning things. All the anti-phishing lessons are irrelevant.
The real browser knows you are looking at phishing.example and so if asked for credentials it will try to get credentials for phishing.example, meanwhile the fake browser which insists this is facebook.com can't talk to the physical Security Key.
Anything that does not involve passwords or something that can be backed up is dangerous on its own though. Consider the case of police or customs seizing all of your devices, your Yubikey being destroyed by a pet eating it, your home being destroyed by fire or you having to flee an active war zone - how will you login into your stuff again?
And most people won't think of enrolling a secondary 2FA module, not to mention there are a lot of sites that don't allow enrolment of more than one authenticator and the fact that the backup has to be stored somewhere offsite opens up new potential for theft
While what you say is true, e.g. WebAuthn + trusted platform module on mobile phone is the lesser evil for the most consumer use cases. It might not be lesser evil for all use cases, but it wil be the lesser evil for retail banking, Ecommerce, Steam accounts, OnlyFan creators, cryptocurrency exchanges, social media accounts and such. We are talking about billions of medium security accounts, not handful of high security accounts.
I'm not up on all the details but if I use WebAuthn in a major browser can I trivially give a different id to every website or is it more like they all want to authenticate me as the same person joe@apple.com, jill@google.com, clippy@outlook.com etc,....
tl;dr Yes you can definitely give a different ID to every web site and it's not even possible to correlate those IDs based on you using WebAuthn for them
The elliptic curve private keys used to sign the authentication message are actually different for every site you use the authenticator with, they're chosen at random and cheap authenticators aren't even storing them anywhere, which is part of how fiendishly clever WebAuthn / FIDO is.
Because the authenticators aren't storing the identifier, if you sign into GitHub as asiachick, after having previously enrolled your authenticator as southamericandude even that authenticator has no idea you're asiachick, and so it won't give the game away, and you can even enroll the same authenticator for both these users and it will work, correctly, and GitHub can only even prove anything is going on by deliberating asking asiachick to authenticate as southamericandude or vice versa, which they've got no reason to try.
Now, if you are using WebAuthn to do usernameless authentication (no password, not even a username, just WebAuthn and one touch to log in) this can't work without the authenticator knowing the credentials. But in that case your local device gives you a menu saying like, asiachick or southamericandude ?
At the cheapest end, something like a Yubico Security Key 2 does two factors with one being the physical key you have and the other being a PIN (such as "180479" or indeed "FkR0Mpg"). An adversary who steals the physical device needs to guess the PIN correctly before it locks out after a few wrong guesses.
Something like a decent Android phone uses a fingerprint as its second factor, Yubico make a physical device that does this if you've got cash burning a hole in your pocket.
In WebAuthn terms the remote site ("relying party") just asks for User Verification and checks that the UV bit is set on the signed message from the authenticator (all WebAuthn signatures will have UP (User Present) set, but UV is a separate bit)
Two-factor does not protect against phishing attempts.
The fake website can ask for two-factor input and man-in-the-middle proxy this to the attacked website. These techniques have been used by the phishers for the last decade or so. Asking more two-factor codes e.g. Once at login and once at withdrawal helps, but the impact is not significant and also brings down the overall UX.
This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM).
Hell no. Do NOT want. No no no no no, never.
A password is a simple concept. That stuff seems more aligned with incentives to create complexity, and thus increase possibility of things going wrong. Not to mention the overall dystopian nature of it all.
What’s your plan to reduce the number of successful phishing attacks?
Password managers are a perfectly reasonable answer, but they need to hide the text entry field, to make sure everybody actually uses the password manager instead of entering a password by hand.
Unfortunately, we live in the present, not hundreds of years in the future. The fact that it took so long for literacy to take hold seems like an argument against trying to use education as you go-to solution to a problem, since it’s not only slow, but also spreads unevenly and unpredictably.
Also, I resent the comparison between advocating a defensive design, and being opposed to literacy. It’s not as if I’m advocating for locked bootloaders, or anything else that would prevent a determined user from doing whatever they want. I’m arguing that manual password management should not be the obvious default.
"I resent the comparison between advocating a defensive design, and being opposed to literacy."
Perhaps you shouldn't - this is like Conways law, systems tend to mimic the communication systems of their organizations.
When you design a system which encourages a certain philosophy, you create "positive" potential in that direction. By designing and promoting systems which reduce user control, you further the communication model of top down hierarchical control.
Why should I trust Webauthn? What stops it from itself being hacked? People with password managers, no control over authentication, end up less, not more secure. The only way to increase security is modularization - if you don't want phishing attacks to occur, you should isolate the process. You should have more than one password, and you should absolutely not store them all in one place.
There have been several indications in this thread how you can isolate the process, none of them require overly complex, big brotheresque solutions.
A lot of popular password managers share them across subdomains by default, so if you manage to get this on a subdomain of the target domain it'll work fine.
there are various times where I copy out the password manager password because it just doesnt play well with the site. this includes big sites like aws console btw
At least with BitWarden, when I click on the extension icon, the site in question should still show up. If I have to search for it, either the domain has changed or something smells phishy.
Unless your password manager displays a popup to be unlocked. Then that's spoofable too. Which is why I paranoidly move the popup to overlap the URL bar before unlocking.
The section on the key combo for Linux and its linked documentation page in the footnote says the sequence is not C2 compliant. Is it because of the location of the keys involved, or rather what they do or don't do?
C2 likely (it's been two decades, I can't remember!) requires more specific protections, than just "kill anything on the current tty".
For example, C2 was pretty keen on only allowing a single admin connection at a time. We actually had to build a mechanism on top of SSH to guarantee that! It wouldn't surprise me if they required SAK to kick out remote users. "Bring this system fully into my control" kind of thinking.
I think there's literally no difference between the phishing and real pictures.
Things that would make me notice this:
My auto password is not popping up (yes I use that).
I could drag the window to top or make it full screen and that won't work.
I could check if another window is actually open in the taskbar
>Things that would make me notice this: My auto password is not popping up
On macOS with 1password, there are numerous occasions where this is the case, from SSBs and electron apps, to random other things that 1P just doesn't see. I have to copy/paste my password just often enough that I'd probably fall for this in-browser if I weren't paying much attention.
I miss the old Windows 95 days of every open window having a visible tab on the panel next to the Start menu. But of course, nowadays everyone has dozens of open applications at all times, so it's a less feasible design.
Same here. I cannot imagine using Windows with the default "combine taskbar items" behavior, I've turned it off ever since it was introduced in the XP days.
There's a project which adds a second location bar in the viewport for older browsers (going back to IE 5-ish days, I think), then lets you browse modern websites with it by rendering them headless and only sending over image maps. It was also featured on HN back in the day.
I was thinking that with a WASM port of a browser engine you could do the rendering on the client side as well, but you'd have to use a host modern enough to run WASM in the first place so... not a great idea on my part
I use bitwarden, but on rare occasions when i need type passwd, I always type the wrong password first time just to be safe. I have always had this fear of spoofing which now looks very real.
This is a benefit of password autofill systems: they aren’t looking at the visual content of the page, just the origin information. If they don’t match you don’t get autofill which is a pretty good indicator of something being off. Then the hassle of actually getting the real password and typing it in may provide yet more time to realize.
The attack is quite good, it'll probably work in many cases. I wonder why I would land on a dubious website, and why I would want to log in on it.
While the attack might work, I doubt the most of accounts collected would be very valuable for the attacker. It would be mostly people looking for free porn or broke people trying to pirate some movie.
> I wonder why I would land on a dubious website, and why I would want to log in on it.
Random phishing attacks via e-mail? Someone posing as a colleague or whatever, telling people to use this new thing for whatever reason, like a dubious OneDrive link.
Bonus credibility points: it uses login with MS, so it must be legit, since we're all using Office365!
Plus, random-non-tech-literate person won't be tipped off by MS requiring another login, especially since they've been trained by IT to log in very often thanks to ridiculously short session durations.
I foresaw this attack years ago. It makes me feel a bit smug to see it implemented.
My idea used the same modus operandi: sniff the victim's OS and browser, and present to them a UI custom tailored to fool them.
I always thought the ability to open a browser window without a navigation bar was a terrible idea. Not just because of this attack: I always want to see the URL I'm visiting.
Tangent: I was using the Minecraft Launcher GDLauncher, and it pops a nav-bar-less browser window for the purpose of logging into my Microsoft account [1]. It felt so suspicious, not being able to confirm I wasn't being phished. To make matters worse, if you click the "I can't use my Authentication app right now" button on the nav-bar-less browser window, it triggers a password reset email, not an I-can-indeed-access-this-email-account confirmation email.
[1] You need to present a Microsoft token to play Minecraft online.
Every time Safari pops up a "passwords are locked" box in the browser window asking for my login password in order to access saved web site passwords, I think it's a fake popup.
I’m constantly being asked to re-enter my password by Microsoft and Google. They’re training users to type their password into anything. The OneDrive prompts on Win10 might as well be a phishing simulator.
You could trick so many users just by randomly popping up one of these that pretends to be an MS365 login. Users are accustomed to the prompts and will blindly enter their credentials. Then the box will disappear and nothing will happen, just like OneDrive.
Having worked at a place where the AWS console session only lasted an hour, I could've easily been fooled if a fake SSO prompt was placed in front of me. "Oh joy, time to login for the sixth time today."
1. If identity providers start offering a dynamic, trusted element within the critical pages (login, password prompt, 2FA/OTP verification etc)
2. if such dynamic element is from a known range/set of customer/trusted-party supplied identity elements.
Ex. During my account creation, say I am prompted to select some "secret identity themes", and I choose { batman, bike, carrots }
At the login/password/OTP prompt, I am shown a 3x3 grid of pics / words / hints, which have at least 3 (or whatever configurable number, in my account preferences) that are somehow connected to my "secret identity theme". This way, I know I can trust this page. The grid also has many unrelated ones acting as decoys elements, so that any malicious spoofing party cannot really figure them out.
I believe you get the general idea.
Do y'all feel this can possibly help, in mitigating this very serious & very harmful threat?
The Barclays Android banking app gets you to choose a few words that you make up, and displays those words on the login screen as a way of authenticating to you that it actually is the Barclays app login screen.
I remember some big service many years ago (maybe yahoo?) had a “memorable image” or something that was associated with your username as some kind of anti phish metric. Of course nowadays that would be trivial to bypass with something like Modliskha or a different reverse proxy passing through the website content.
Yes. That's why a cluster of elements for a "secret identity theme", instead of just one image. (After all, infosec/security is finally just a game of making reward-to-effort ratio too impractical for most threat-actors & thus achieve reasonable 'sense of security', in a world where exploits exist for almost every ring in the stack - including ring 0)
I feel BITB mostly gets used by those who may not really be having access to lob a proxy attack at the intended target as well, which filters a good set, among potential victims.
I think the concern (if you ever see this comment) is that an attacker will for instance put the fake browser ui around an iframe to a proxy to the legitimate website content using a tool like Modlishka. In that case, whatever is presented to the user in the legitimate application (including whichever superheros or whatever are selected that time around) and all of the bogus images will be presented in the proxied version. Transparent proxies like that are very effective ways of doing phishing because you can phish 2fa or even SSO or similar info by just passing on a legitimate login page to the user but through your MITMed page.
Yes, I understand that BITB+MITM is a huge risk. But my point was that most who want to run BITB won't typically have the means to run an MITM along with it. (unless 'MITM within a browser' becomes a reality!)
I was trying to say that the dynamic security element helps in filtering at least the most common kind of attack, which otherwise leaves consumers to bear a very large risk.
Perhaps this is the thing that I don’t understand. Why wouldn’t an attacker have such means? This attack isn’t something that requires control of the network, it’s just a fantastic way of producing a lookalike page.
BITB will work much better once we can compile and run popular browsers via WASM. Just look up the user agent, find the matching browser and render it to a draggable canvas. Obviously you'll find something off if you're not using Windows/MacOS. But that still leaves 99% of desktop users vulnerable.
Browsers via WASM doesn't gain you anything unless you're also shipping the matching OS via WASM which, even if that happens to be Windows 2000, isn't going to be fast enough to be believable. Without shipping the OS all you've got is a really weird looking browser window that still takes forever to load and run.
With some clever animations it can even phish a majority of the mobile too, like some Safari new tab sliding into view. They probably can't exactly replicate it as they can't actually move the address bar and title views etc. but they'd pull something good enough to get most of the non tech-savvy mobile users.
In the near future we could be saying "this is why we can't have nice things" or this could be used as a justification for further reduction of privacy. A remote AI could view every page in a cloud browser and alert us when the page looked like a browser. Come to think of it I heard of a newfangled cloud browser a few months ago. On the "this is why we can't have nice things" area we could have something like the orange dot that shows when an app is using the mic on os x, and makes experiences that involve a mic a bit less immersive. https://www.reddit.com/r/MacOS/comments/qhbt4n/how_to_disabl...
I find it weird to publish this as a repo. The idea is fairly obvious, and has been used in the wild for decades.
All this does is lower the effort an attacker needs to invest to replicate it. It's pointing out bike locks are callable and then handing out free bolt cutters to whoever walks by.
I think you'd be surprised how many laugh about people who click fake static windows in ad areas compared to how many have thought "this popup login window could be fake" when using 3rd party authentication on a site. The latter isn't new but it's certainly less commonly known/talked about.
And if it's been in the wild for decades then people are already going around with bolt cutters, it's probably good people without bolt cutters understand that.
Very interesting, and certainly hard to catch, even for technical users. Maybe it is things like this where google is justified for "forcing" 2FA on us. Lowers, although minimally, the effectiveness of auth credential attacks.
You cannot move the fake window out of its parent, but you can do this with a proper popup window. So it can be "catched" but this is (at least) inconvenient and easy to forget.
As is 2FA, e.g. when I'm using a tablet in bed and the smartphone for the 2nd factor is on the table in the living room ... I'd like to see 2FA devices which could be easily duplicated, just as physical keys can.
OK. I was in bed already when writing this, so didn't properly describe the features of physical keys I value. And, btw, most of the time it's a lightweight laptop, not a tablet. "Tablet" was a "placeholder" for just any other mobile reading device.
While I could duplicate 2FA credentials onto another device, even onto my wife's device (if needed, e.g. for online banking), the attractive feature of a _physical_ key is that I can control the number of copies and "revoke" one after handing it over for a short time and then recollect the device again. That's not as easy with virtual "keys" like authentication apps.
At work, we use smartcards to store credentials (i.e. X.509 certificates). And you are allowed to get a second and even third card, if needed. So I can have one in the office, and one at home. All are protected by their respective PINs. And we do have bluetooth based card readers for smartphones. That (possibly miniaturized like a yubikey) is my preferred model of a "physical" device to use as a key.
I don't think this attack can be used on a large scale because if the browser has a custom theme you will quickly notice that the popup is not from the browser. If it is used on one person, customizing the popup for his specific browser is almost impossible to notice it
New security tip, drag every login pop-up windows outside of your browser.. if the window can move out of the browser.. it's (more likely) legit (or at least you know the address bar is real to check), if it doesn't then you're being phished.
Another potential mitigation for this would be for browsers to include a unique, user-specific, favicon-sized image in the address bar next to the lock. If the image doesn't match the one you see everywhere else, you know it's a phishing attack.
or it'd be nice if people weren't have to play hide-and-seek, schwarzer-peter, and spot-the-difference games when just want to browse the damn internet.
An incredibly large amount of the complexity that exists in today's internet infrastructure could be eliminated if we didn't have to worry about security/trust. No need for HTTPS, encryption, or even passwords for that matter (in a perfect world where everyone is who they say they are). No need for certificates, no need for public/private keys, no need for ASLR, etc.
Of course, these protect against more than just malicious behavior, they also provide safeguards against human error. However, in a world where malicious behavior didn't exist, many of their designs could have probably been far simplified..
Hmm, for web forms this has been overcomplicated for the past decade...without needing to worry about security even.
In a trusted world, you still need to worry about order of operations, resource exhaustion, and redundant resiliency...as these are forms of addl complexity perhaps we should get rid of the internet itself...
Distributed systems localize all complexity and don't suffer the same sorts of security issues... The answer to "who is this" is still a problem if only we could program based upon how they behave versus who they are...
In a world where components themselves acted independently of their masters intentions, you might be able to make this work. Computers would have to act very differently, almost self computing systems.
Perhaps what I'm describing is a world run by robots, and so in the absence of proof they would treat us better than we do ourselves, perhaps a bit of consistent pain is worthwhile.
i did not refer to plain security measures. all security measures you listed can be and, in fact, are well hidden under the hood, so the end user does not have to worry about them.
i was more about the insane consequences of today's web's abilities: it wants to do anything and everything with user's computer, it's basically an independent OS.
there is no Line Of Death anymore, no clear boundary what user can trust as he trust the OS vendor and locally installed and audited software vendors, and on the other side, trust as an unknown 3rd party on the web.
see "paypal.com" vs "paypaI.com", unicode look-alike chars, public suffix list, etc type of tricks; domain names were invented to be consumable by end users, but as they are sold and used, it's not the case anymore. so users nowadays should not be pressured to watch domain names with bleeding eyes. see "url bar padlock" issue; several survey demonstrated that users do not understand and do not care how the padlock feels.
users can not confidently Ctrl-C anything on any website anymore. using "clever" JS APIs web devs mine bitcoin by visitor's CPU, DDoS other online resource by visitor, store CSAM on visitor's computer, trigger epilepsy in visitors.
then in top of all these, engineers want to solve complexity problems by putting more complexity in it (like solving civilaztional problem with more technology). some suggest to build in an AI which watches if something appears on the screen which looks like a window but is not?! come on! why not just don't let untrusted code do anything on your screen and computer?
I understand client-side scriptng is made very powerful and enables many wonders for the entertaining of the masses.
It may be a maintainable path to provide a general-purpose language to the "App Web", where users can run programms with on-click installation (ie. loading a web app on a web site in the web browser). in this case browser vendors and users should prepare for the possible abuses what the general purpose in-browser computing environment enables.
but on the other hand, many users with reasonable usecases expect there should be a "Docu Web" just as the WWW was born to be (with neccessary improvements and modernizations of course - i don't advocate for "Mosaic 1.0 experience") with no accidental transition to the "App Web". this other web, the "Docu Web", should be free of any complexity which may lead to become "App Web" again: i imagine a library/bookstore/newspaper store/journal/shared notes/etc network but online.
so that you don't need to worry that: a jumpscare pops out of a book when turn to page 123; or other library visitors inserts pages in the book you read; or the last week newspaper shows you different articles than to your neighbour; or someone read your mails because you watched his audiovisual report before; or the librarian pushes certain authors and suppresses others based on bribe.
sorry for the seemingly absourd analogies, but there were (and are) times when these were possible on the "All-in Web" due to inconsiderate government and adaptation of standards.
They are reasonably safe, given their size and complexity. They are certainly a lot safer than current widely used operating systems - those aren't designed for running unknown adversarial code at all - something a browser does all the time in typical use.
>For example have a <login> element , browsers will style it the same for all websites and prevent developer to misled the user.
more importantly, display to the user in such a way that no website can spoof it. For instance, it can dim the entire window (eg. like UAC on windows).
This seems like a decent solution s compared to alternatives presented so far in throughout discussion.
Folks who browse in an edge-to-edge maximized window will still be at least somewhat-to-quite vulnerable, especially if less tech-savvy or vision impaired. I generally don't browse this way, mostly due to the relatively insane* width of displays in general these days.
Would mobile users still be vulnerable? Due to:
1. Tiny screen dimensions.
2. No option for "window" resizing. It's not even a thing.
* OT: Displays today are wide to such an extreme they tend to be too wide for my needs and tastes. Eventually it's too much like staring at the bottom 1/5th of a full-sized 4k display, which work sent me but turns out is mostly good for watching Batman, The Matrix, and other ultra-wide theatrical film releases. Granted, at this task, a 34" 1440p widescreen excels marvelously.
Surely you've heard the joke (or is it an adage?):
"With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
- the login popup could integrate with your OS so depending on your options it could pre-fill the username and password or only the username, a faked one will be forced to guess your username.
- the fake stuff always failled for me, I am using Kubuntu and all those fake popups were using a XP theme.
- because some OSs don't give you the option to customize shit anymore , in this case they would make an exception and ask you to personalize the login popup, like ask you to use an avatar img from a big list that is sorted randomly and maybe a color, anyway Apple and Google have the money to pay someone to think more then 5 minutes about this so there could be even more solutions for this permissions popups.
>With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
Don't hate long names, hate bad names.
I found a bug in our project caused by such bad short names, a good,clear name is always clear then some missleading short one or a random short string.
I'm pretty sure I could be fooled by a really good fake HTTP Basic Authentication prompt. Yeah, technically the real one is distinguishable, but it seems like it would be easy not to notice.
Interesting, Firefox made it overlap very slightly with the browser chrome, which I'd never noticed before; is that, perhaps, specifically because of this issue?
The popups to give permissions are already being spoofed by pages. Fake Chrome permissions requests for notifications get around Chrome's detection of sites that request to send push notifications too aggressively. You can't stop this unless you physically take over the full screen for stuff like login, which is extremely disruptive.
Opening the auth window in a tab instead of a window would help. Including an avatar and extensions in the popup window and opening it on top of the chrome on the main browser window would help to differentiate it.
Even if browsers did this, you can still execute this attack. As long as not all of your users know what the expected behavior is, you can trick them with a fake UI as long as it looks believable.
The goal is not to protect 100% of your users, it is to reduce the number of users who are currently vulnerable. One is possible, one is not. If you can significantly reduce the number of users who will fall for an attack, then it is a success, even if not everyone is protected.
Thought experiment: what about an actual BITB attack? With the browser being painted on a Canvas element and rendered by either the client itself with WASM or on a remote server and an X client running in the user's browser?
The browser could give the user a unique popup style (colored borders, etc.). As long as that info is hidden, this attack would have only a tiny chance of succeeding.
AFAICT it’s not a popup. The “window” is actually a DOM element designed to look like a window floating over the web page. The entire “window”, url bar and all, is just a cleverly disguised part of the phishing website.
My browser always shows the URL scheme, and my UI looks nothing like that, so I guess this is another point in favour of people customising their UI and a point against browsers letting websites modify the appearance of things like scrollbars and form controls, or --- and I really don't understand why no one thought this was a really bad idea to even implement at all --- allowing popups with no browser controls.
I don't think this is such a novel idea either --- remember the fake "your computer is infected click here" popups that tried to look like the OS's? I've always used something other than the defaults for UI appearance, so besides the more obvious clues like having browser controls, they really looked off with things like their different titlebar colour and font.