
The Next Web uses cheap JavaScript hack to fool you into installing an extension - twapi
http://www.downloadsquad.com/2010/07/13/the-next-web-javascript-hack-chrome-extension-phishing/
======
rg3
I think this issue signals a problem with the UI in Chrome or Firefox, or any
browser that creates this kind of popup. The problem is that, by placing the
popup above the webpage contents, the webpage creators can mimic that native
UI and create the same effect with the page contents themselves, and you don't
know if the popup was created by the browser itself or if it's part of the
webpage.

I think the problem could be solved by modifying the UI in the browser in such
a way that you don't allow the webpage to create a similar popup because there
would be a visual barrier that clearly indicates when the popup is part of the
browser itself and when it's not.

~~~
stwe
The problem is that the browser owned control bar is right next to the web
content. It's good for usability (quick to reach with mouse), but opens the
door for trickeries like click jacking (that's actually why there's a
countdown when you want to install an extension in firefox).

I filed a related bug a year ago at Mozilla:
<https://bugzilla.mozilla.org/show_bug.cgi?id=497388> but it didn't get anyone
busy (no offense). We probably have to wait until browser extensions are more
common place and these kind of UI vulnerabilities get exploited on a regular
basis.

~~~
kgermino
This may be a stupid question but, how does the countdown prevent click
jacking and the like?

Thanks in advance for any answer.

------
zeedotme
you should know that we added that this morning, it was built by the the guys
at idiomag.com, as is the javascript. Once we realised that it could
potentially confuse or "trick" people we removed it.

~~~
illumin8
Really, what excuse could you have had for including such content in the first
place, other than malicious intentions? Surely you review all content before
placing something on your pages, right?

I'm not buying this feigned innocence. It's like listening to Zynga say giving
Farmville credits for users to sign up for trial offers is perfectly
legitimate. They know perfectly well the revenue generated by getting
thousands of users to sign up for free trials of stuff that is impossible to
stop before the bill gets charged to your card is generating more money than
legitimate ads/networks.

You're using illegitimate ad networks because it pays a higher CPM period.
Just admit to it so we can blackhole your domain without bullshitting us.

~~~
zeedotme
Jesus, are you serious? You really think we want to scam our readers? Dude
seriously sort your shit out and learn to trust a little, have a little faith.

And no, we didn't review the javascript bar that was placed at the top of all
our pages but as soon as we saw what it looked like, we removed it.

And what illegitimate ad networks?? We use Google Adwords and Federated Media!

Don't go making accusations like that until you've got your facts straight.

And seriously, where did you get such distrust and anger? Ridiculous.

------
pclark
The Independent has had this toolbar in the past.

Wasn't there even an IE6 hack that spoofed "this browser has critical updates"
and updated the browser to IE7?

------
jared314
One man's cheap trick, is another man's UI integration. I've done something
similar to mimic what the end-users were accustomed too.

