This specific example may be new, but the concept of fooling users with websites containing images of the system's own UI is not new --- for example, all the fake antivirus alert boxes. That had a relatively easy mitigation --- using non-default appearance on your system (e.g. an XP-style "you have a virus!" dialog box image would just look silly if you weren't using XP with the default theme), but it seems the trend toward un-customisability is just going to lead to this being even more easy to exploit.
Of course, mobile browsers hiding important information and being even more un-customisable makes this worse.
Well, even I, as the creator of the inception bar, found myself accidentally using it!
When reading a product's documentation that has screenshots explaining how to do something, I've also accidentally tried to manipulate them instead of the actual dialogs. I'm sure others here have had similar experiences too.
Read peoples creds and store somewhere, then issue a 'wrong password' msg and exit, resulting in the real login message.
People will just assume they made a typo and continue as if nothing happened.
I've argued before for a genuine out-of-band independent display on machines which can only be written to by some very high privilege process.
Incidentally, this is why Face ID is strictly worse than Touch ID in my opinion.
Touch ID with wet or slightly dirty fingers are not good. I've been doing some gardening over Easter and Touch ID is barely working because my fingers are more rough than they normally are.
Face ID on the other hand, works just as expected. It doesn't work optimally if I'm lying down, but that's not a problem for me personally.
He busted me by booting up the system from floppy and typed in the commend to format the hard drive and waited for me to return to the lab after school. I asked him what he was doing and he said he had no choice but to reinstall from scratch because someone changed the password. He then moved to hit the Enter key.
Not wanting my fellow students to lose their projects, I confessed. I logged him in and he changed the password.
He then gave my account admin privileges. I guess I had earned them.
Heh, I don't think so. Teachers don't like to send their pupils to court for silly things. They'd just get told why not to do it again and probably get some detention and stuff.
At a uni, the consequences might be more severe.
I kept silent about this until years afterwards for fear of being chucked out of college, which to be honest would've been a good thing seeing as the course was a waste of time.
Show a fake login prompt. Write down what gets entered, show wrong password and exit to real prompt.
Made me and my friend laugh.
Next session the teacher ask us to sit at the same computer, and after 20mn a guy come to me and ask « Are you pseudo ? »
Turns out that the computers really had viruses and they thought it was me !
They threatened to expel me (more to frighten me I think since they had no proof), and made me the cleaning guy for all the semester.
It gave me an undeserved reputation of the guy who hacked the university computers. And a better sense of caution.
I definitely had too much free time at the times. :)
If you ever wondered why you have to press ctrl-alt-del to log in, that is why (nobody ever fixed this for Linux).
Seems you're not familiar with Linux. It had SAK since forever.
It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
It works by killing everything on that particular terminal, no matter if it's text based or graphical. That's the whole point: whatever spawns after that is created by the init system.
> But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.
> It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
I can guarantee you, if I were to copy the design of the login screen that shows up after you press ctrl-alt+del, 99.999% of people who don't work in IT won't bat an eye and enter their credentials straight away. It comes down to educating your users. If you don't explain your users why they have to press it before logging in, they will write it off as just random computer stuff they don't understand and only do so because they get prompted to do so. If next time around they don't, they don't care.
So it comes down to educating your users, and I could very well train them to press alt-print-k before logging in, whereas I agree that a friendly reminder on the login screen is a plus.
The idea is interesting, and it could've been puppies or some other corny wallpaper that did the trick.
It worked quite effectively on 3.x because you could just minimize progman.exe
Frankly though, I preferred the actual BBC Micros and Amiga's that those IBMs were meant to replace.
This was meant as a joke, and I never actually went through with it. I know the person very well but it still felt douchebaggy. But the idea was to make an app file, save it to some seemingly legitimate folder, and adding it to the autostart list.
The trick to hide the thing was to drag and drop Safari's logo onto it, and naming the app "Safan": it almost goes unnoticed when checking the Activity Monitor, thanks to the system font's proportions.
I guess I could have named it Disk Memory Manager or some other important-sounding thing.
I couldn’t convince them that it was just a picture, and that I could fake it if I wanted to.
Firefox is the pre-install default for most distros, and only Chromium is provided in default repos.
They're also significantly more likely to use some form of ad and JS blocking.
So until the appearance changes based on the UA and system theme (and maybe can read bookmarks and plugins), this trick mostly affects mobile Chrome users.
Shouldn't it be "Ceci n'est pas une UI."? Since interface is a feminine word in French, the article in front of UI need to be feminine too.
Autohide menu bars are bad designs, and you have this on top of that.
Fullscreen API must be removed from browser for security reasons, new window hints should be removed too.
Apparently Apple already reports your offensive photos already, can’t imagine why browsing should be treated differently.
How do you define this?
> Apple already reports your offensive photos already
Same as every tech company do with tons of other spam types.
>> This analysis generally happens inside a sandbox, and very little of what the systems determine makes it outside of that sandbox. There are special exceptions, of course, for things like child pornography, for which very special classifiers have been created and which are specifically permitted to reach outside that sandbox.
Unsure what is Techcrunch's source for this but it kinda makes sense.
The only solution here is a proper line of death . It defeats the purpose of the LoD when it dynamically shrinks from user action.
Joking aside, "line of death" is easily understood but I never heard the name before. Now that it has a (perfect) name I will never forget it, and that's the importance of giving technology a fitting name. My biggest pet peeve in modern UI is the hamburger menu icon. Three horizontal lines does not, in any way, indicate to the user that menu options lay behind it... and the name was downright awful. We replaced a perfect icon at the time, the "gear" (a gear references an engine, so users looking to change settings understood the analogy). But the hamburger menu tried to remove the "settings" idea and instead encompass navigation, settings, preferences, and operations into one menu icon. In my opinion, it failed, but now is so ubiquitous most people are fine with it.
Nowadays it probably really is just as you say.
The challenge is preserving ability for content to control all pixels; without it, the content ecosystem ends up developing single-purpose, generally crappy apps, which isn't necessarily a better thing either...
I'm not sure it is the only solution either - what about "secure attention key" type ways to get the system's attention (in this case the browser's), bypassing any content interception? For example, what if there was a key combo guaranteed to always bring in the browser UI, and typing that key combo was necessary before inputting any password field?
Alternatively, the reliance on browser password management could provide some security if it can be trusted to always work...
The Secure Attention Key is interesting, but would need the user to know you press it. And on mobile, it would probably need to be a dedicated button on the device, since I could just fake the on screen keyboard too.
Password manager auto-fill failing would clue a savvy user that something was wrong, but I suspect many would just assume it's a glitch and manually enter their credentials.
I saw an reply in another thread suggesting customizable browser background images for the UI bar, which a website would have no way of replicating. In my opinion that's probably the best approach, although it might mean throwing away the ability for sites to set the background color of the UI to match their theme (arguably losing nothing of value :).
Consider a semi-configurable universal menu with a well defined access method, where you always can back out of the app, and in the case of browsers also have guaranteed access to switching tabs and accessing options, etc.
We aren't trained to press escape before entering passwords, though.
Edit: saw in another comment that it's hardcoded, so it was coincidence. That makes sense.
On the other hand, scrolling to the very top of the page reveals the original address bar.
A possible mitigation would be to use a custom background or gradient for the bar that a web page can't guess. I'd be tempted to suggest the Google account's picture (if Chrome is logged in), but I don't know how safe that is from cross-site shenanigans.
The result is that users have been trained not to expect consistent UI paradigms. Every UI is hunt-and-peck. And that paves the way for this kind of exploit.
This was anticipated and partly avoided by a reasonably large modal which pops up to tell you you’re in full screen mode, and disappears after a few seconds.
Another similar exploit on desktop was to set the cursor of the page to be a very large image which would overlay the browser chrome and put some fake information there.
The issue on mobile could perhaps be reduced by having some amount of ui that doesn’t go away (safari does this in portrait mode). Another help could be to not make the ui disappear (or make it reappear) when this kind of scrolling an iframe situation arises
Even just in this case - making it look like Chrome mobile results in a different bar than Firefox mobile. If they converge more though it'd take less effort to hit more people.
Which is also why they are so abombinally large. Picking on Skype, but they are by no means the only or worst, the Android app is 71MB. There is no sane reason it needs to be that large except for all of the custom assets and custom widgets.
Edit: it's happening kind of randomly. 1 time it happens, 3 times it doesn't...
Also this version wouldn't fool me because it says I have 26 tabs open. I'm used to the infinity symbol there!
- at the top of the page, if I scroll, the address bar disappears;
- as soon as the fake HSBC bar appears, the real address bar comes back;
- both of them remain here until I reload the page.
I also disable the fullscreen API: set 'full-screen-api.enabled' to 'false'.
It adds the browser elements to make it appear like a verified popup.
The only reason it was discovered was due to users complaining that the password manager did not auto-populate the form.
I suppose the author just wanted a quick PoC, but with enough work, one could mimic an interactive browser address bar, including the menu that with refresh, bookmark, etc and even the HTTPS padlock with security information. Browser UIs being designed in CSS itself, one could easily copy/paste from the browser itself.
It’s just a proof of concept, focusing on one browser in one operating system. It would be interesting to see how well this could be done on iOS. The real host name is always shown at the top of the page, so it’s not going to be perfect.
doens't have to be perfect - just good enough to fool some people.
(user interface image confusion danger)
But I guess you just need it to work often enough.
Whether you click allow or deny, it shot off a network request to a third party domain. This lets the third party know your browser's user agent, and if they have an exploit for your browser they will send a payload that compromises the browser with the intent of installing an adware extension.
It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did manage to navigate me to an advert from the click.
The best I can think of is that it does 2 things:
1. Preserves the "true" allow/deny prompt for a time when the user will allow.
2. Lulls the user into a sense of security. The page is nice and/or their browser will ask about anything the page tries to do.
It also needs to seem legitimate so people click it but don't report it.
Sites with fake dialogs in my experience ask again the next time you open the page.
I take great pleasure in choosing ‘Allow’ in those custom dialogues and then ‘Deny’ when the native one pops up immediately afterwards.
It mirrors the exact behavior of an AMP page's header.
Sure, image recognition is CPU intensive, but even just checking once every 5 seconds or so would be enough to prevent this sort of attack and pop up a big "you are being phished" warning. And 99.99% of what occupies that UI real estate looks sufficiently unlike a search bar that a low-cost recognizer should be able to rule out phishing for normal sites fairly quickly.
What am I missing? Has this approach been tried and rejected? Is image recognition of fairly static, flat, 2D, geometric shapes actually far more CPU-intensive than I imagine?
An inception bar could include a fake refresh button, no?
On mine (latest on iPhone 7 at the time of this writing) the site just says my browser doesn’t support the full screen API.
I really think this should result in a permissions dialog from the browser.
This wasn't some shady part of the Internet. I was livid.
If they had given it the same name, size, and approximate download speed as the file I was downloading, I would have had zero way to determine this. Everyone has accidentally started two downloads when they just wanted one copy.
Unreal that this could happen on an official site. (And that it basically tricked me.)
Can be fixed by using ad+malware blocking host file, namely this one, https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master... since it's the one I use and was using when I noticed this
Edit: does work with a refresh
It's an example of why the "HTTPS everywhere" push annoys me, it gives false sense of security. Security resources should be better spent.
Also, back on topic, Google should stop handing blindly the wheel to "Designers". Oversimplification instead of properly educating people lead to this crap.
HTTPS is a part of a whole and pushing so hard make people (even tech savvy ones) focus too much on it. How many CTOs are happy with just putting HTTPS on their website so they can check the security checkbox ?
Another example where Chrome prefers usability over security is autofill, where a user can accidentally share more personal information than he/she wishes:
This attack is for sure nice and effective!
If someone else has dealt with this please reach out I want to make it public in a safe way.
My point is that none of this stuff matters if major corporations continue to send out terrible emails that basically encourage consumers to engage in risky behavior.
Another possibility would be to display a "collapsed" address bar, so that you can see that it is not the actual bar, but rather is another one.
On chrome 73.0.3683.90
But you could go to your own host and have your server sit in the middle. The user wouldn't be logged in, since cookies wouldn't be sent. But maybe they would login through your proxy.
I did use chromium to test.
so the question is, is it a common browser bug?
Maybe _unique_ browser designs would help users.
I would like to test this out, but I'm not willing to install spyware. Can anyone confirm this?
Also I've seem some old ladies believing that a younger soldier from US needs help taking money out of %some country%.
A fake address bar, with a fake "look, I'm safe" mark on it? Yes, it'll do it.
But then I realized how honest every post was. How anonymity also encouraged ‘free’ speech. And remarkably how much data was shared. Before the net, when we couldn’t be anonymous, we couched our meanings in bs and obfuscation. The ‘bs’ meter was a finely tuned process that you had to develop and run in the background to sort the chaff from a person’s words. Now, comments are often accompanied by a github link where I can read and test the code that people brag about. Thank you internet