
Chrome hack prompts users to download 'missing font' to install malware - artsandsci
https://thenextweb.com/security/2017/02/21/chrome-missing-font-hack-malware/
======
cprecioso
Isn't there any way that browsers/OS could signal "this dialog you're seeing
right there is from us and not from the website you're visiting"? Most people
know to look for the lock icon in sensitive pages, so it could be extended to
that as well.

~~~
angry-hacker
A lot of content is not from the sites you visit. Ads, often videos, things
that your cdn hosts etc.

You can use css to draw anything on the screen. Inside the viewport of course.
The garbled text us clever but otherwise it's just a typical scam to make you
install Spyware.

Heck, majority of ad networks run these things. You have 5 viruses, download
this thing.

~~~
cprecioso
> A lot of content is not from the sites you visit. Ads, often videos, things
> that your cdn hosts etc.

Yes, that's why I'm asking about a way to unequivocally recognize that a
dialog _is_ from the browser, for example, drawing things completely outside
the viewport (without overlapping it) or changing the browser chrome's colors.

~~~
angry-hacker
Maybe something like Windows UAC alert then. Disable all the background and
dim it.

~~~
RugnirViking
> Disable all the background and dim it

Surely this is trivial to reproduce with css in the webpage, and is in fact
what the images show here

