undefined | Better HN

0 pointsKliment15y ago0 comments

Suppose I send you a link to a page I own. I start this thing on said page and track what you do with the rest of the session on the off-chance that you do something sensitive with it. It's like a single-tab key/screenlogger. Combine this with traditional phishing methods (which already work) and you might get valuable data. It's going to be at least as effective as current phishing methods, with the added advantage of not asking for personal data on the landing page as well (so users don't get scared off).

A similar attack would be to override the back button. You know those sites where the back button takes you to a redirect that takes you to the same page? Take one of those, but on the redirect page save the referring URL. Then when the user hits back, have the redirect page start the session sharing and redirect to the referrer. Sounds plenty dangerous to me.

0 comments

tlrobinson15y ago

You understand this works by proxying webpages, right? The URL bar is going to show the URL of the proxy, not my bank.

If you consider this to be dangerous that's a flaw in every web browser ever, not this piece of software. This kind of thing was possible 10 years ago too.

KlimentOP15y ago

That's how every phishing plot works, no? And still they get data. This makes it a step smoother.

_urga15y ago

Re: "sounds plenty dangerous to me"

Often, it's the "sounds plenty dangerous" innovations (fire, automobile, chainsaw, theory of relativity), that provide the most utility.

KlimentOP15y ago

Oh, certainly. The fact that it can be used for evil makes it no less impressive and useful for other purposes. But thinking of this attack makes me wonder if our browser security models are getting outdated. With things like this possible, and so much valuable data being web-based these days, is there any way of using cool things like that yet avoiding the major risks?

InclinedPlane15y ago

Flight, gunpowder, surgery, sailing, heliocentrism.

j / k navigate · click thread line to collapse

0 pointsKliment15y ago0 comments

0 comments

tlrobinson15y ago

You understand this works by proxying webpages, right? The URL bar is going to show the URL of the proxy, not my bank.

If you consider this to be dangerous that's a flaw in every web browser ever, not this piece of software. This kind of thing was possible 10 years ago too.

KlimentOP15y ago

That's how every phishing plot works, no? And still they get data. This makes it a step smoother.

_urga15y ago

Re: "sounds plenty dangerous to me"

Often, it's the "sounds plenty dangerous" innovations (fire, automobile, chainsaw, theory of relativity), that provide the most utility.

KlimentOP15y ago

InclinedPlane15y ago

Flight, gunpowder, surgery, sailing, heliocentrism.

j / k navigate · click thread line to collapse