I think Pwn2Own misses the mark on focusing on the security problems people actually have, and they make it sound like browsers are more or less secure than they are, when you consider threats users will actually face.
- Chrome is the most infected web browser, because the Chrome Web Store allows any extension to get the permission to read all the web content you view, inject their own content, and report back to a master server. Little to no scrutiny of such permission grants is done on Google's part, and it's not considered a vulnerability. The user having malicious extensions is the user's problem, not a Chrome security problem, it seems.
- Pretty much all web browsers allow Java alert() prompts to capture all UI interaction with the web browser, allowing malicious websites to trick users into believing their computer has malware and they need to call a scam support line, or to force users to install malicious Chrome extensions. The checkbox to prevent a site from creating these popups is only mildly effective due to other tricks these sites employ. It's still, for some reason, not seen as a problem that websites can capture the browser's UI in this way.
Pwn2Own seems like code golf. It isn't particularly helpful in the grand scheme of things, and nobody's fixing the problems that actually cost average users billions of dollars in money handed either to phone scammers or to Geek Squad support folks who just have to reboot their PC for them.
1 comment
[ 4.3 ms ] story [ 14.6 ms ] thread- Chrome is the most infected web browser, because the Chrome Web Store allows any extension to get the permission to read all the web content you view, inject their own content, and report back to a master server. Little to no scrutiny of such permission grants is done on Google's part, and it's not considered a vulnerability. The user having malicious extensions is the user's problem, not a Chrome security problem, it seems.
- Pretty much all web browsers allow Java alert() prompts to capture all UI interaction with the web browser, allowing malicious websites to trick users into believing their computer has malware and they need to call a scam support line, or to force users to install malicious Chrome extensions. The checkbox to prevent a site from creating these popups is only mildly effective due to other tricks these sites employ. It's still, for some reason, not seen as a problem that websites can capture the browser's UI in this way.
Pwn2Own seems like code golf. It isn't particularly helpful in the grand scheme of things, and nobody's fixing the problems that actually cost average users billions of dollars in money handed either to phone scammers or to Geek Squad support folks who just have to reboot their PC for them.