
The inception bar: a new phishing method - jamesfisher
https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/
======
userbinator
"Ceci n'est pas un UI."

This _specific_ example may be new, but the concept of fooling users with
websites containing images of the system's own UI is not new --- for example,
all the fake antivirus alert boxes. That had a relatively easy mitigation ---
using non-default appearance on your system (e.g. an XP-style "you have a
virus!" dialog box image would just look silly if you weren't using XP with
the default theme), but it seems the trend toward un-customisability is just
going to lead to this being even more easy to exploit.

Of course, mobile browsers hiding important information and being even more
un-customisable makes this worse.

 _Well, even I, as the creator of the inception bar, found myself accidentally
using it!_

When reading a product's documentation that has screenshots explaining how to
do something, I've also accidentally tried to manipulate them instead of the
actual dialogs. I'm sure others here have had similar experiences too.

~~~
Waterluvian
In high school we would screenshot the windows 98 desktop, make it the
wallpaper, hide everything, and watch people fluster about.

~~~
emmelaich
Older school even -- instead of logging out of (real hardware) terminal
sessions, exec a program which prints `login: ` and disables keyboard
interrupts.

Read peoples creds and store somewhere, then issue a 'wrong password' msg and
exit, resulting in the real login message.

People will just assume they made a typo and continue as if nothing happened.

I've argued before for a genuine out-of-band independent display on machines
which can only be written to by some very high privilege process.

~~~
jsmith99
That's why Windows can be set to require Ctrl+Alt+Del before login as it can't
be intercepted by a fake login screen.

~~~
baddox
Similarly, the iPhone X requires double-pressing the power button to complete
a purchase using Face ID. Previously, with Touch ID, the authentication action
itself was also sufficient to establish intent (placing the finger on the
sensor). But with Face ID, any app could just pop up the purchase window and
Face ID would see your face.

Incidentally, this is why Face ID is strictly worse than Touch ID in my
opinion.

~~~
joe5150
how is it worse? touch id’s serving as authentication and approval for payment
was actually exploited as a scam. I don’t see how this could be done with face
id.

[https://www.wired.com/story/iphone-touch-id-scam-
apps/](https://www.wired.com/story/iphone-touch-id-scam-apps/)

~~~
baddox
That’s fair. I never encountered anything like that. In my experience Touch ID
was faster, more reliable, and more versatile (e.g. able to be activated with
the phone lying on a table without peering over it with my face).

~~~
hvidgaard
I happen to be in a situation where I have a phone with Face ID and one with
Touch ID.

Touch ID with wet or slightly dirty fingers are not good. I've been doing some
gardening over Easter and Touch ID is barely working because my fingers are
more rough than they normally are.

Face ID on the other hand, works just as expected. It doesn't work optimally
if I'm lying down, but that's not a problem for me personally.

------
akersten
With a little polishing this would be quite the "exploit" \- trap the user in
your fake browser, actually load pages that are entered into the fake URL bar,
replace content only on certain patterns...

The only solution here is a proper line of death [0]. It defeats the purpose
of the LoD when it dynamically shrinks from user action.

[0]: [https://textslashplain.com/2017/01/14/the-line-of-
death/](https://textslashplain.com/2017/01/14/the-line-of-death/)

~~~
geuszb
Thanks. This is a great reference indeed!

The challenge is preserving ability for content to control all pixels; without
it, the content ecosystem ends up developing single-purpose, generally crappy
apps, which isn't necessarily a better thing either...

I'm not sure it is the only solution either - what about "secure attention
key" type ways to get the system's attention (in this case the browser's),
bypassing any content interception? For example, what if there was a key combo
guaranteed to always bring in the browser UI, and typing that key combo was
necessary before inputting any password field?

Alternatively, the reliance on browser password management could provide some
security if it can be trusted to always work...

~~~
akersten
Those are some good ideas too - "only solution" was a bit hyperbolic - but I
do think our options are limited, especially on mobile.

The Secure Attention Key is interesting, but would need the user to know you
press it. And on mobile, it would probably need to be a dedicated button on
the device, since I could just fake the on screen keyboard too.

Password manager auto-fill failing would clue a savvy user that something was
wrong, but I suspect many would just assume it's a glitch and manually enter
their credentials.

I saw an reply in another thread suggesting customizable browser background
images for the UI bar, which a website would have no way of replicating. In my
opinion that's probably the best approach, although it might mean throwing
away the ability for sites to set the background color of the UI to match
their theme (arguably losing nothing of value :).

~~~
Natanael_L
With the use of gesture controls and swipe-up menus and "soft keys", etc, why
not put in something like the "pie control" apps on Android, where the OS
controls one part and the app controls another?

Consider a semi-configurable universal menu with a well defined access method,
where you always can back out of the app, and in the case of browsers also
have guaranteed access to switching tabs and accessing options, etc.

------
ikeboy
I happened to have 26 tabs while loading this, and spent a minute trying to
figure out how the fake bar "knew" my open tab count

~~~
lucb1e
... so how does it?

Edit: saw in another comment that it's hardcoded, so it was coincidence. That
makes sense.

------
afandian
I can't help but think that this was made possible by the complete collapse in
common UI standards. 'Apps' have stopped being OS-toolkit apps and moved onto
the web, and of course each designer needs to have their own special on-brand
widget style. This has leaked onto the few remaining desktop apps: Chrome
rejects the standard Mac OS widgets and reimplements everything, from buttons
to the print dialog. Spotify does its own thing. And lest we think Apple has
much respect for UX, iTunes is a mess. I genuinely can't use it.

The result is that users have been trained not to expect consistent UI
paradigms. Every UI is hunt-and-peck. And that paves the way for this kind of
exploit.

~~~
dan-robertson
I don’t see what relation this rant has to the op. Surely the issue here is
nothing to do with the ui displayed and more to do with the fact that it is
possible to fake the browser ui. Even if chrome were using traditional
controls on a desktop, one could imagine an exploit where clicking a malicious
link puts the browser in full screen mode (most browsers only accept being put
in full screen mode from event handlers for user interactions like clicking),
and displays a fake browser ui inside.

This was anticipated and partly avoided by a reasonably large modal which pops
up to tell you you’re in full screen mode, and disappears after a few seconds.

Another similar exploit on desktop was to set the cursor of the page to be a
very large image which would overlay the browser chrome and put some fake
information there.

The issue on mobile could perhaps be reduced by having some amount of ui that
doesn’t go away (safari does this in portrait mode). Another help could be to
not make the ui disappear (or make it reappear) when this kind of scrolling an
iframe situation arises

------
mk89
Using Firefox for android: if I open the page and scroll down, the address bar
becomes invisible and the hsbc bar shows up. If I keep scrolling down, I just
see hsbc. The moment I scroll up, the original address bar is shown, and even
if I keep scrolling down, the bar does not disappear.

Edit: it's happening kind of randomly. 1 time it happens, 3 times it
doesn't...

~~~
antonvs
Using Firefox Beta for Android v67.0b9, I see the hbsc address bar as a second
address bar below the real one. It remains in place as I scroll, although a
couple of times it disappeared.

Also this version wouldn't fool me because it says I have 26 tabs open. I'm
used to the infinity symbol there!

~~~
mk89
I am using Firefox 66.0.2. (how could I forget to mention that!).

------
lysp
There was a similar thing reported a few months ago relating to a fake
Facebook social login popup.

[https://myki.com/blog/facebook-login-phishing-
campaign/](https://myki.com/blog/facebook-login-phishing-campaign/)

It adds the browser elements to make it appear like a verified popup.

The only reason it was discovered was due to users complaining that the
password manager did not auto-populate the form.

[https://news.ycombinator.com/item?id=19188386](https://news.ycombinator.com/item?id=19188386)

~~~
mrhappyunhappy
Back in the day you used to be able to get people to click a series of sharing
dialogs with fake iframe overlays. People were abusing it to get insanely
viral posts shared by millions.

------
Ayesh
This worked brilliantly on my Chime Android, and I'm quite surprised the
scroll-jail trick worked too.

I suppose the author just wanted a quick PoC, but with enough work, one could
mimic an interactive browser address bar, including the menu that with
refresh, bookmark, etc and even the HTTPS padlock with security information.
Browser UIs being designed in CSS itself, one could easily copy/paste from the
browser itself.

------
doctorless
Interesting. iOS Safari seems to force the address bar to stay visible on this
page.

~~~
vegizombie
Firefox for android keeps the bar there too.

~~~
clusmore
Just to be clear, you're referring to real Firefox address bar (pointing to
TFA), not the fake Chrome address bar (pointing to hsbc.com). So yes, in this
case Firefox has (accidentally?) somewhat thwarted this attack vector.

~~~
tty2300
It certainly looks accidental. It hides on scroll on other pages but this one
causes it to half hide and then it pops back up again.

~~~
grahamburger
I noticed this as well. I'm wondering if FF is smart enough to always show
it's own title bar if a CSS element is pinned to the top of the viewport?
Gotta do more testing ...

------
rotexo
Whenever I’m looking at an iPhone screenshot someone posted on social media on
my iPhone, I try to navigate using the buttons in the image. There ought to be
a long German word for that experience.

~~~
isoprophlex
Klickbarernavigationselementeillusion?

~~~
FabHK
Benutzeroberflächenabbildungsverwechslungsgefahr

(user interface image confusion danger)

------
b34r
Yahoo actually tried to do this in 2015 with an internal initiative called
“Silver Search” to try and trick Firefox users into using their own yahoo-
powered omnibux. I was fucking livid when I found out about it and complained.

~~~
b34r
omnibox _

------
Waterluvian
I'm not doubting the concerns raised but the fake failed in many ways for me
on my phone with the latest chrome. It didn't appear. Then when it did it
appeared below the existing bar.

But I guess you just need it to work often enough.

~~~
ehnto
It's like the fake "Allow Notification" dialogs on some sites. They look off
to pretty much anyone paying attention, but their target market probably isn't
people paying attention

~~~
jfoster
What's the idea behind those? Do they just get permission before showing the
real dialog, or is it more sinister than that?

~~~
ehnto
It can be more sinister. Although I am sure the other answers are right in
some circumstances, I was curious a while ago, so I actually clicked one.

Whether you click allow or deny, it shot off a network request to a third
party domain. This lets the third party know your browser's user agent, and if
they have an exploit for your browser they will send a payload that
compromises the browser with the intent of installing an adware extension.

It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did
manage to navigate me to an advert from the click.

~~~
jfoster
But any click can do that, right? No need for it to be a fake Allow/Deny
prompt.

The best I can think of is that it does 2 things:

1\. Preserves the "true" allow/deny prompt for a time when the user will
allow.

2\. Lulls the user into a sense of security. The page is nice and/or their
browser will ask about anything the page tries to do.

~~~
ehnto
My guess is something to do with needing to have a user prompt certain types
of cross site javascript actions.

It also needs to seem legitimate so people click it but don't report it.

------
cookingrobot
FYI this isn’t occurring on chrome or safari on iOS. As soon as the fake bar
appears the page stops scrolling normally - the scrolling inertia stops so
that I can scroll but not “toss” the page, and the real address bar no longer
hides. I wonder if this is a deliberate mitigation, or an accident?

~~~
sjroot
This is because iOS browsers use WebKit and leverage the CSS `overflow-
scrolling` attribute.

[https://developer.mozilla.org/en-US/docs/Web/CSS/-webkit-
ove...](https://developer.mozilla.org/en-US/docs/Web/CSS/-webkit-overflow-
scrolling)

------
colanderman
I understand why this was a problem in 1995, but honestly, in 2019, with image
recognition technology as advanced as it is now – _especially_ due to efforts
by Google – why can't browsers detect this? Surely "does this rectangle look
vaguely like a URL bar" is an easier problem to solve than "is this a
photograph of a cat"?

Sure, image recognition is CPU intensive, but even just checking once every 5
seconds or so would be enough to prevent this sort of attack and pop up a big
"you are being phished" warning. And 99.99% of what occupies that UI real
estate looks sufficiently _unlike_ a search bar that a low-cost recognizer
should be able to rule out phishing for normal sites fairly quickly.

What am I missing? Has this approach been tried and rejected? Is image
recognition of fairly static, flat, 2D, geometric shapes actually far more
CPU-intensive than I imagine?

~~~
snazz
MobileSafari has an interesting feature that your idea reminded me of: it
tries to detect when a site using the Fullscreen API presents an iOS keyboard-
lookalike through the location and frequency of your taps on that side of the
screen. I’ve gotten the warning when doing something else and was impressed
they thought of it.

~~~
colanderman
Neat! That's an interesting way to detect phishing.

------
Gaelan
"Make sure you’ve done a hard refresh of the page"

An inception bar could include a fake refresh button, no?

~~~
jamesfisher
Thanks, and yes! I was originally thinking "pull-to-refresh", but since your
comment, I've enhanced the phishing with another trick: a large buffer at the
top of the scroll jail, which prevents the user from reaching the top, and
thus prevents the user from using "pull-to-refresh". Now, the only way I know
to reliably get out of the page is to move to another app, then back to Chrome
- this seems to cause it to re-display the true URL bar.

~~~
decalages
You can scroll down from the inception bar to display the browser bar again

------
Nextgrid
Related: [https://feross.org/html5-fullscreen-api-
attack/](https://feross.org/html5-fullscreen-api-attack/)

~~~
saagarjha
FWIW, opening that link in mobile Safari shows a large “X” in the top left of
the screen and trying to scroll sets of the “it looks like you’re typing in
fullscreeen” warning.

~~~
Nextgrid
Mobile Safari? On which iOS version?

On mine (latest on iPhone 7 at the time of this writing) the site just says my
browser doesn’t support the full screen API.

~~~
saagarjha
MobileSafari on my iPad running iOS 12.3 (16F5139e).

------
skunkworker
A recent example that I've been seeing more and more is pages taking over some
system keyboard shortcuts. I've seen pages taking over Command-F and using
their own search interface instead of the browsers. I've found utilities for
not messing with copy/paste, but is there a way to block pages with keyboard
shortcuts in Chrome?

~~~
GordonS
Hijacking CTRL-F drives me nuts!

I really think this should result in a permissions dialog from the browser.

------
hatsix
Everything looks correct on chrome mobile. I don't ever see the HSBC bar,
regardless of how I scroll.

~~~
hatsix
After switching back to chrome, I could see the bar, but the scroll jail
didn't work, so scrolling up showed the original page bar.

------
logicallee
I recently helped someone install vlc. I googled VLC download (relying on
Google) and then clicked through the clearly labelled download links. I
accidentally must have clicked a link twice because two copies started
downloading. The more recent one was finished so I literally started opening
the executable. The only thing that stopped me was that it was called vlc-
streaming or something, and the one next to it was still downloading, slowly.
That's because it was a download triggered by vlc's ad partner. It wasn't VLC.

This wasn't some shady part of the Internet. I was livid.

If they had given it the same name, size, and approximate download speed as
the file I was downloading, I would have had zero way to determine this.
Everyone has accidentally started two downloads when they just wanted one
copy.

Unreal that this could happen on an official site. (And that it basically
tricked me.)

~~~
quickthrower2
I’m convinced to use windows store or Choco to install stuff for this reason.
Paint.net is practically impossible to download from their as infested site.

------
EamonnMR
I didn't see it working on Chrome on my phone (chrome 73.0.3683.90, OnePlus 6)

Edit: does work with a refresh

~~~
robocat
Perhaps you have JavaScript disabled.

------
nkozyra
This sort of works on chrome Android, but the critical overflow:hidden trick
does not prevent chrome from restoring the real address bar.

------
ldng
Slightly OT, but it's HTTPS so it must be safe, right ?

It's an example of why the "HTTPS everywhere" push annoys me, it gives false
sense of security. Security resources should be better spent.

Also, back on topic, Google should stop handing blindly the wheel to
"Designers". Oversimplification instead of properly educating people lead to
this crap.

~~~
DownGoat
HTTPS everywhere is a good thing. HTTPS was never about protecting against
phishing, and has never protected you against phishing. There is no way to
educate people about phishing, only way to protect against it is U2F.
Education against phishing is not very effective, and only works short term.

~~~
yjftsjthsd-h
Right, but it was pushed as "lock icon means secure" and end users don't
distinguish threat models.

~~~
ldng
Exactly, and I disagree on education. People can and must be taught on
security (not just phishing). But that also mean some standardization on the
browser UI and not trying to make it "seamless" and "transparent". This
exploit is the result of voluntarily blurring the lines between Traditional
Apps and Web Apps. Well, the threat model being very different, it's not a
good idea.

HTTPS is a part of a whole and pushing so hard make people (even tech savvy
ones) focus too much on it. How many CTOs are happy with just putting HTTPS on
their website so they can check the security checkbox ?

------
astura
Looks like the "never redisplay the true url bar" trick didn't work for me on
my mobile Chrome.

[https://imgur.com/a/Pjybovf](https://imgur.com/a/Pjybovf)

------
codedokode
This fake bar reminds me of a fake address bar that Google displays in an AMP
viewer and efforts it takes to be able to replace URLs in an address bar
instead of just letting the user visit the target site.

------
a_c
When using firefox focus on android, the whole image is blocked from loading

------
odux
I like how 10 years back or today the answer to such pishing issues (then
specifically tragetted to IE, now Chrome) is 'use Firefox'.

------
stabbles
The usability / security trade-off is difficult.

Another example where Chrome prefers usability over security is autofill,
where a user can accidentally share more personal information than he/she
wishes:

[https://medium.com/@stabbles/why-you-should-disable-
autofill...](https://medium.com/@stabbles/why-you-should-disable-autofill-
bf2e15c65b5c)

------
oedmarap
Using Firefox Focus on Android and the bar doesn't show up at all. Re-enabled
Chrome temporarily and the bar does show up, however.

------
carroccio
There is previous work on the matter: A fake Firefox XUL browser if I recall
correctly (UI readdressing).

This attack is for sure nice and effective!

------
3pt14159
I figured out something kinda like this but worse. I don't really know how to
make it public though because it hits so many different pieces of software
that I struggle to see how I could give enough warning to all of them.
Thousands of entities, really.

If someone else has dealt with this please reach out I want to make it public
in a safe way.

------
suzzer99
I'll worry about this when I stop getting emails from my banks and credit card
companies that look like cheesy phishing emails and ask me to click the link
then login.

My point is that none of this stuff matters if major corporations continue to
send out terrible emails that basically encourage consumers to engage in risky
behavior.

------
BentFranklin
Reading this reminded me of the time in the 80s when I discovered hex editors
and changed COMMAND.COM to reverse every DOS command. So to get a directory
listing you had to type RID, COPY became YPOC, etc. The error message was
!sdrawkcaB. I know I'm no hacker but everyone else thought I was.

------
bartimus
Perhaps a solution would be to allow the browser to share a "fingerprint" with
specific websites. To make a trusted connection. The website would know if a
trusted connection exists for the user and deny all login attempts coming from
unauthorized fingerprints.

------
zzo38computer
Not using Chrome, and not having a padlock in the URL bar, and disabling non-
ASCII URLs, fixes many of this problem.

Another possibility would be to display a "collapsed" address bar, so that you
can see that it is not the actual bar, but rather is another one.

~~~
jamesfisher
IMO, the collapsed address bar is the most pragmatic fix to this issue. (The
other fixes are options that users would have to opt in to, rather than being
fixed at the source - i.e. Chrome.)

------
z3t4
I tried to exploit the mobile browser hiding the address bar when scrolling to
hide the address bar in a web game/app to get more screen real estate on
mobile but most browsers make it very hard.

------
gmueckl
The illusion is almost perfect. However, it breaks when you scroll back to the
very top. The real address bar reappears on top amd stays there even when
scrolling back down. This is with Chrome 73.

------
stdcall83
I written in quick basic clone of novell network login screen and dumped
passwords to a file. Got dozens of students passwords and did nothing with
it... I was 13 years old...

------
below43
Doesn’t scale well to small mobile devices (eg iPhone SE)

------
huffmsa
If I scroll up high enough, I get both address bars. Then if I scroll back
down both stay in place. The inception bar isn't clickable, ever.

On chrome 73.0.3683.90

------
todipa
Wow, didn't even think it was possible to do this.

------
meuk
Looks like they 'fixed' this in Chrome for mobile. The URL bar no longer
disappears on his site (but it does on most other sites).

------
quietbritishjim
The scroll jail is easily defeated by grabbing the fake address bar and
pulling that down, rather than pulling down the main content area.

------
cm2187
By override the scroll behavior, it also makes the page feel very unnatural on
an ipad (I think it’s the inertia effect missing).

------
pmoleri
Scary exploit! Would it also work using Element.scrollIntoView()? In such case
it wouldn't even need user interaction.

------
sizzle
Totally fooled me, but pulling down on the fake 'inception' bar brings back
Chrome's url bar. Neat trick.

------
enedil
I'm surprised that nobody included "clicking on the url bar in order to modify
it" as a mitigation.

~~~
jamesfisher
In principle, it's not a mitigation - I was just too lazy to forge an
interactive URL bar! You could make one which acts just like the Chrome URL
bar, but e.g. acts as a MITM.

~~~
jannotti
At first I though you wouldn't be able to stay "in the middle" because you'd
have to redirect to the typed address. You can't AJAX it in, because of CORS.

But you could go to your own host and have your server sit in the middle. The
user wouldn't be logged in, since cookies wouldn't be sent. But maybe they
would login through your proxy.

------
IAmAnIssue
Turns out if you lock the phone the actual address bar reappears after you
unlock your phone

------
Forge36
Yuck. I have a custom UI on mobile so it's out of place to see white. I also
just suffered from a bug causing images to half load (no idea why it seems
new). In trying to get images to load I got the tab count portion loaded, I
then immediately tried changing tabs ... With the fake button I just made show
up.

------
kerng
Doesn't seem to work with Firefox on Android but a nifty little trick for
sure!

------
rilax
It works with the desktop version too if you go full page (F11)

I did use chromium to test.

------
Stugie
I found a fix to this problem, on accident. I use Blokada apk on android (not
the Google play store version, the good one, if that makes a difference) and
when first visiting the page didn't see what the hell you were talking about,
the inception url bar never showed up for me. So, when most things don't load
or don't act as they're supposed to that is the first thing I go and do--
disable Blokada and reload. Once I did, then it showed up, (pretty cool little
discovery btw, good job)

So tl/dr; Can be fixed by using ad+malware blocking host file, namely this
one,
[https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master...](https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt)
since it's the one I use and was using when I noticed this

~~~
Stugie
Bumping this so it doesnt get lost...

------
oftenwrong
A similar attack could be done with fake password manager UI elements.

~~~
astura
I saw a proof of concept video of exactly this using LastPass.

------
chris_engel
Javascript is disabled by default in my mobile browser _shrugs_

------
afarviral
The scroll jail didnt work for my firefox for android latest stable.

~~~
tyingq
The article indicates it's not supposed to. It's a quick and dirty proof of
concept, working in one environment (Android/Chrome), with a screenshotted
fake header. Just enough to prove the point.

------
29athrowaway
Change your system font.

~~~
lgats
slightly related, js [limited] system available font detection:
[https://gist.github.com/fijiwebdesign/3b0bf8e88ceef7518844](https://gist.github.com/fijiwebdesign/3b0bf8e88ceef7518844)

~~~
saagarjha
Safari has prevented websites from accessing nonstandard fonts as an anti-
fingerprinting technique for a while now, so this script does not quite work
for those.

------
rickdg
If I see 26 tabs open, I immediately know something is wrong.

------
pochamago
Huh naked browser doesn't even show the fake address bar

------
Causality1
This scroll jail shit is why I absolutely despise AMP pages.

------
asgs
it was hard to reproduce this behaviour on Firefox mobile, but it did happen
twice after multiples of scroll ups and downs.

so the question is, is it a common browser bug?

------
d0bby
I like how this is a trend now, fake popups, fake url bars.

Maybe _unique_ browser designs would help users.

------
crushcrashcrush
This is why chrome is a terrible choice - it disregards OS UI/UX choices.

------
paul7986
Poor Android users .. no blue bubbles and now this!

~~~
amingilani
Security vulnerabilities are discovered across all platforms. Just recently
did we find an eavesdropping vulnerability in iOS[0] that certainly qualifies
as far more severe. Given how security issues can pop up for any platform, I
don't think calling one group of users "poor" is prudent, or a nice thing to
do.

[0]: [https://www.forbes.com/sites/daveywinder/2019/01/29/apple-
co...](https://www.forbes.com/sites/daveywinder/2019/01/29/apple-confirms-
iphone-facetime-eavesdropping-exploit-heres-what-to-do/#711ba821745b)

------
Simon_says
> when you visit this site on Chrome for mobile, and scroll a little way, the
> page is able to display itself as hsbc.com:

I would like to test this out, but I'm not willing to install spyware. Can
anyone confirm this?

------
bellerose
I guess this risk could be mitigated if the browser had recognition code
running in the background for if the top of the screen was mimicking the
search bar. I'm not fond of the idea that we put restrictions of fullscreen
mode where it requires user approval when scrolling down or something of that
sort.

------
woliveirajr
Well, people still believe that they will help a prince from Nigeria.

Also I've seem some old ladies believing that a younger soldier from US needs
help taking money out of %some country%.

A fake address bar, with a fake "look, I'm safe" mark on it? Yes, it'll do it.

------
bawana
Reading these comments initially got me sad. How many echoes of the article’s
theme - ‘look at this flaw and how I exploited it’. At first I thought the
author had cast a magical spell to bring out the dark side in us. But really,
The initiative in us that is adversarial already exists and is simply
suppressed. We go about all day acting ‘civilized’ while the animal in us
paces nervously waiting for an opportunity to get out. And in the anonymity of
the net, we let the animal out. How many of us would brag about these
accomplishments to our children or to our boss at work?

But then I realized how honest every post was. How anonymity also encouraged
‘free’ speech. And remarkably how much data was shared. Before the net, when
we couldn’t be anonymous, we couched our meanings in bs and obfuscation. The
‘bs’ meter was a finely tuned process that you had to develop and run in the
background to sort the chaff from a person’s words. Now, comments are often
accompanied by a github link where I can read and test the code that people
brag about. Thank you internet

