Just to be clear, you're referring to real Firefox address bar (pointing to TFA), not the fake Chrome address bar (pointing to hsbc.com). So yes, in this case Firefox has (accidentally?) somewhat thwarted this attack vector.
I noticed this as well. I'm wondering if FF is smart enough to always show it's own title bar if a CSS element is pinned to the top of the viewport? Gotta do more testing ...
Interesting! So it does. However Firefox does hide the URL bar on other pages! I'll try to figure out what the logic is in Firefox, and whether there's an equivalent trick to hide the URL bar ...
That’s because the site messes with the scrolling in an attempt to prevent the top chrome to not come back, which unfortunately (or fortunately?) doesn’t do anything because Safari refuses to hide it.
Yeah, the scrolling is so janky on the page, I thought my iPad wasn’t properly responding to multitouch input for a moment... Then I opened the HN discussion and smooth, buttery scrolling (tm) was back. Lesson: don’t hijack scrolling behavior, it’s awful. (Very smart hack though.)
> With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser.
It’s just a proof of concept, focusing on one browser in one operating system. It would be interesting to see how well this could be done on iOS. The real host name is always shown at the top of the page, so it’s not going to be perfect.
Safari doesn’t hide the url bar when you employ the “scroll jail” technique he described. It also doesn’t feel right scrolling because he omitted the css property for inertial scrolling in his “scroll jail.”
At least on my computer there is a permission dialog for the fullscreen API. However, if document scripting is disabled (which is what I have by default anyways) then the link does not do those stuff. (I also use an unusual window layout, so if someone tries to spoof the window layout, it is likely that I can easily see the problem immediately anyways.)
FWIW, opening that link in mobile Safari shows a large “X” in the top left of the screen and trying to scroll sets of the “it looks like you’re typing in fullscreeen” warning.
IMO, the collapsed address bar is the most pragmatic fix to this issue. (The other fixes are options that users would have to opt in to, rather than being fixed at the source - i.e. Chrome.)
The article indicates it's not supposed to. It's a quick and dirty proof of concept, working in one environment (Android/Chrome), with a screenshotted fake header. Just enough to prove the point.
In principle, it's not a mitigation - I was just too lazy to forge an interactive URL bar! You could make one which acts just like the Chrome URL bar, but e.g. acts as a MITM.
At first I though you wouldn't be able to stay "in the middle" because you'd have to redirect to the typed address. You can't AJAX it in, because of CORS.
But you could go to your own host and have your server sit in the middle. The user wouldn't be logged in, since cookies wouldn't be sent. But maybe they would login through your proxy.
Using Firefox for android: if I open the page and scroll down, the address bar becomes invisible and the hsbc bar shows up. If I keep scrolling down, I just see hsbc. The moment I scroll up, the original address bar is shown, and even if I keep scrolling down, the bar does not disappear.
Edit: it's happening kind of randomly. 1 time it happens, 3 times it doesn't...
Using Firefox Beta for Android v67.0b9, I see the hbsc address bar as a second address bar below the real one. It remains in place as I scroll, although a couple of times it disappeared.
Also this version wouldn't fool me because it says I have 26 tabs open. I'm used to the infinity symbol there!
Using Firefox 66.0.2 on Android as well. Pretty much the same behavior here, except that it does not look random at all:
- at the top of the page, if I scroll, the address bar disappears;
- as soon as the fake HSBC bar appears, the real address bar comes back;
- both of them remain here until I reload the page.
It looks like if the use of CSS position: fixed forced the Firefox address bar to be visible. Which given the context looks like a really good thing!
If Firefox doesn't trust elements with position: fixed, one could use position: absolute or even position: static (the default value) instead and move element when scrolling.
Security vulnerabilities are discovered across all platforms. Just recently did we find an eavesdropping vulnerability in iOS[0] that certainly qualifies as far more severe. Given how security issues can pop up for any platform, I don't think calling one group of users "poor" is prudent, or a nice thing to do.
I guess this risk could be mitigated if the browser had recognition code running in the background for if the top of the screen was mimicking the search bar. I'm not fond of the idea that we put restrictions of fullscreen mode where it requires user approval when scrolling down or something of that sort.
This is why I think removing the physical (as in, below the screen --- whether they're capacitive or actual pushbuttons isn't the point here) buttons from Android devices is a horrible idea; a webpage can mess around with what's on the screen, but it can't stop the user pressing the physical menu button and choosing Refresh from there.
By "hard refresh" I took that to mean using the keyboard to forcibly reload the page and all assets, e.g. CTRL-F5 on Windows. Of course, the average user probably doesn't use keyboard commands, or even know this one exists.
Thanks, and yes! I was originally thinking "pull-to-refresh", but since your comment, I've enhanced the phishing with another trick: a large buffer at the top of the scroll jail, which prevents the user from reaching the top, and thus prevents the user from using "pull-to-refresh". Now, the only way I know to reliably get out of the page is to move to another app, then back to Chrome - this seems to cause it to re-display the true URL bar.
In Chrome beta 74, the count is in the bottom toolbar, so a variant of this attack that were UA-aware might have an even easier time. (The padlock is no longer green, either, and the leading https:// is omitted.)
On the other hand, scrolling to the very top of the page reveals the original address bar.
A possible mitigation would be to use a custom background or gradient for the bar that a web page can't guess. I'd be tempted to suggest the Google account's picture (if Chrome is logged in), but I don't know how safe that is from cross-site shenanigans.
This specific example may be new, but the concept of fooling users with websites containing images of the system's own UI is not new --- for example, all the fake antivirus alert boxes. That had a relatively easy mitigation --- using non-default appearance on your system (e.g. an XP-style "you have a virus!" dialog box image would just look silly if you weren't using XP with the default theme), but it seems the trend toward un-customisability is just going to lead to this being even more easy to exploit.
Of course, mobile browsers hiding important information and being even more un-customisable makes this worse.
Well, even I, as the creator of the inception bar, found myself accidentally using it!
When reading a product's documentation that has screenshots explaining how to do something, I've also accidentally tried to manipulate them instead of the actual dialogs. I'm sure others here have had similar experiences too.
I have an unquantified theory that the number of users that can distinguish between a Windows 7/8/10 dialog box that is presented directly by the operating system, versus as an image inside a browser coming from external http/https server, is diminishing greatly every year.
Which have a lower overall usage of the proprietary chrome browser, as well.
Firefox is the pre-install default for most distros, and only Chromium is provided in default repos.
They're also significantly more likely to use some form of ad and JS blocking.
So until the appearance changes based on the UA and system theme (and maybe can read bookmarks and plugins), this trick mostly affects mobile Chrome users.
Last time I was in Davis CA, someone was trying to get me to sign up to their charity. They had an iPad, and were adamant that the padlock on the screen proved it was secure.
I couldn’t convince them that it was just a picture, and that I could fake it if I wanted to.
In office, adding screenshot visual studio startup splash screen to the wallpaper and watch the dev. Best moment is when they see visual studio being first thing to start after system reboot.
That's the era as me (Windows 3.0 was released in 1990, 3.1 a couple of years later). I'm surprised your school let you have unfettered access to the DOS prompt - that would have gotten abused within minutes at our school. Even the BBC BASIC interpreter ended up getting removed from the network because people like myself would abuse the PC Speaker (which, to be honest, was the last the mischief I'd cause).
Frankly though, I preferred the actual BBC Micros and Amiga's that those IBMs were meant to replace.
Older school even -- instead of logging out of (real hardware) terminal sessions, exec a program which prints `login: ` and disables keyboard interrupts.
Read peoples creds and store somewhere, then issue a 'wrong password' msg and exit, resulting in the real login message.
People will just assume they made a typo and continue as if nothing happened.
I've argued before for a genuine out-of-band independent display on machines which can only be written to by some very high privilege process.
Similarly, the iPhone X requires double-pressing the power button to complete a purchase using Face ID. Previously, with Touch ID, the authentication action itself was also sufficient to establish intent (placing the finger on the sensor). But with Face ID, any app could just pop up the purchase window and Face ID would see your face.
Incidentally, this is why Face ID is strictly worse than Touch ID in my opinion.
Maybe is up to implementation? I've got an X and the intent to pay pops up the native pay modal, which still requires you to double press the power button AND to be authenticated. So what you say never really happens.
how is it worse? touch id’s serving as authentication and approval for payment was actually exploited as a scam. I don’t see how this could be done with face id.
That’s fair. I never encountered anything like that. In my experience Touch ID was faster, more reliable, and more versatile (e.g. able to be activated with the phone lying on a table without peering over it with my face).
I happen to be in a situation where I have a phone with Face ID and one with Touch ID.
Touch ID with wet or slightly dirty fingers are not good. I've been doing some gardening over Easter and Touch ID is barely working because my fingers are more rough than they normally are.
Face ID on the other hand, works just as expected. It doesn't work optimally if I'm lying down, but that's not a problem for me personally.
Yes, but it isn't very effective because if the computer is left with the login screen visible after Ctrl+alt+del opened in a full screen browser, users will simply proceed directly to typing their credentials. Then an endless logging in dialog could be presented, so that the user thinks it is a problem with the computer.
Hmm not if your users are trained to press Ctrl-Alt-Del again... The login screen would also allow them to order the OS to log off the current session too.
What did you do with the passwords you captured? Sounds unethical... You'd definitely be facing criminal charges if you got caught doing this today I'd imagine.
Back in the day I made a near-perfect copy of the RM (UK school IT supplier) login page in Visual Basic 6, and had it run on computers with RunServices registry entry. Had a team of mates with custom floppy disks going around installing it on as many PCs as we could. It would log the supplied user/pw to disk, then display the "wrong password" error, then quit, then exposing the real login screen.
What did you do with the passwords you captured? Sounds unethical... You'd definitely be facing criminal charges if you got caught doing this today I'd imagine.
Heh, I don't think so. Teachers don't like to send their pupils to court for silly things. They'd just get told why not to do it again and probably get some detention and stuff.
Yeah it's not like you did anything illicit like change grades or wreak havoc on the network by mass formatting computers, unless you intentionally left out those parts ;)
Mine would log you in. Of course the OS (Oasis) had a way to exec the login program and feed it the password. I stole the teacher’s password and then changed it.
He busted me by booting up the system from floppy and typed in the commend to format the hard drive and waited for me to return to the lab after school. I asked him what he was doing and he said he had no choice but to reinstall from scratch because someone changed the password. He then moved to hit the Enter key.
Not wanting my fellow students to lose their projects, I confessed. I logged him in and he changed the password.
He then gave my account admin privileges. I guess I had earned them.
I became the help desk. It seemed like an elevated status but in reality it meant I got some of the drudgery piled on to me. Password changes, adding students,
disk quota increases and such.
That exists: look for 'trusted path'. It was a feature of compartmented mode workstation (CMW) operating systems like Trusted Solaris and lives on in the requirement to use Ctrl-Alt-Del to call up the Windows login prompt. In Trusted Solaris (TSOL) it was a dedicated area of the screen—along the bottom—where no user mode process was allowed to write; the OS displayed a special symbol there (sort of like the padlock in a web browser) when the user was interacting directly with the OS. Some CMW systems even implemented that functionality in hardware, electronically compositing windows from different physical frame buffers to the video display. Ctrl-Alt-Del is actually in hardware, too (or it used to be); the keyboard interface on the first IBM PC detected that specific key combination and toggled the reset line on the CPU (or maybe it was an interrupt; I forget). Every subsequent PC-compatible machine, to this day, has the same functionality built in to the hardware, on the A20 reset line. It's mostly vestigial today.
This was how I gained full sysadmin access to our college's VAX 11/780 mini computer in late 1986. This machine ran pretty much everything from accounting to exam marking. There were three terminals that the admins would logon to pretty much regularly on the "student" side of the computer room. I knocked up a script to run on these three terminals that looked exactly like the standard login and mailed me the credentials entered before displaying the standard "incorrect username/password" (and then silently logoff). The risk for me, had the IT team been a bit more up on their game, was spotting my account being logged into these three terminals for long periods of time with me no-where to be seen :)
I kept silent about this until years afterwards for fear of being chucked out of college, which to be honest would've been a good thing seeing as the course was a waste of time.
In high school I replicated the entire login UI of NT LAN manager (I think it was called) and had it save the password and then crash the machine (via c:\con\con). Asked the teacher to login for something and tada, admin password.
If you ever wondered why you have to press ctrl-alt-del to log in, that is why (nobody ever fixed this for Linux).
It doesn't look like the implementation is any good though. First, you have to set it up manually. I've literally never seen anyone do that. Second, it works by killing X. Not exactly elegant. But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.
It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
> Second, it works by killing X. Not exactly elegant.
It works by killing everything on that particular terminal, no matter if it's text based or graphical. That's the whole point: whatever spawns after that is created by the init system.
> But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.
> It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
I can guarantee you, if I were to copy the design of the login screen that shows up after you press ctrl-alt+del, 99.999% of people who don't work in IT won't bat an eye and enter their credentials straight away. It comes down to educating your users. If you don't explain your users why they have to press it before logging in, they will write it off as just random computer stuff they don't understand and only do so because they get prompted to do so. If next time around they don't, they don't care.
So it comes down to educating your users, and I could very well train them to press alt-print-k before logging in, whereas I agree that a friendly reminder on the login screen is a plus.
The company where I first worked out of university had a custom which the CEO named ‘shemaling’. The company had quite strict security standards. It was encouraged that anyone who found an unlocked screen in the office would ‘shemale’ the wallpaper. It did the job. I never forgot again after being ’shemaled’ the first time.
Funnily enough, it was four years ago, somewhere in continental Europe. Things were a bit freer there. I didn't stay there long. I have a lot more interesting stories from that place.
I gay porned an entire company's computers after they refused to crack down on employees watching people being murdered all day. They threatened to fire me so I explained exactly why I had done this and that I would happily explain this at length in any subsequent employment tribunal. I kept my job and the management finally told everyone to stop watching people getting killed on company time.
My co-workers thought it hilarious to line up clips of people being run over by trains or having their throat cut, then tell unsuspecting people that they had something very important to show them. Management didn't like being bothered by people complaining about what they viewed as guys being guys. Until they got an eyeful of guys doing guys, that is.
At a previous job, we had a "pipi" mailing list (pee, in French), where people would send "I went to pee" from unlocked computers. The "victim" themselves would often be members of said mailing list. That worked quite well, so organically, the list ended up being used mainly for random jokes, news and stuff, rather than the "I went to pee" messages.
Back in the days (1990) I found amusing to edit the autoexec.bat on my first CS session and add « You have a virus... of the flu », and signed with my pseudo.
Made me and my friend laugh.
Next session the teacher ask us to sit at the same computer, and after 20mn a guy come to me and ask « Are you pseudo ? »
Turns out that the computers really had viruses and they thought it was me !
They threatened to expel me (more to frighten me I think since they had no proof), and made me the cleaning guy for all the semester.
It gave me an undeserved reputation of the guy who hacked the university computers. And a better sense of caution.
In 1990 I also edited a friend's autoexec.bat to launch a quick basic script that would falsely check the disk for viruses and then prompt the user to delete their entire hard disk. Of course pressing "n" would print "y" on the screen and then display a fake progress bar along with a warning to not interrupt the operation in order to avoid disk damage.
I definitely had too much free time at the times. :)
Prolly need some sort of ml to parse every image used on device and tag potentially dangerous ones. Wouldn’t be too expensive on devices with tensor units...
Apparently Apple already reports your offensive photos already, can’t imagine why browsing should be treated differently.
>> This analysis generally happens inside a sandbox, and very little of what the systems determine makes it outside of that sandbox. There are special exceptions, of course, for things like child pornography, for which very special classifiers have been created and which are specifically permitted to reach outside that sandbox.
Unsure what is Techcrunch's source for this but it kinda makes sense.
Someone I know would constantly leave a macbook unlocked, so I prepared a script that would turn down the volume, whisper the owner's name, open weird sfw pictures online and other mildly annoying things, but not very often (like once a week).
This was meant as a joke, and I never actually went through with it. I know the person very well but it still felt douchebaggy. But the idea was to make an app file, save it to some seemingly legitimate folder, and adding it to the autostart list.
The trick to hide the thing was to drag and drop Safari's logo onto it, and naming the app "Safan": it almost goes unnoticed when checking the Activity Monitor, thanks to the system font's proportions.
Blurred lines aside, for posterity you could name it "Safari Auto-Update Utility" and use an app icon that has the Safari logo coupled with a cog wheel or so.
I thought of something like that, but then the user could kill it as a precaution since an auto-update utility or any other secondary application can be temporarily disabled. Killing "Safari", on the other hand, would terminate everything the user's currently doing in it.
I guess I could have named it Disk Memory Manager or some other important-sounding thing.
I'm not doubting the concerns raised but the fake failed in many ways for me on my phone with the latest chrome. It didn't appear. Then when it did it appeared below the existing bar.
But I guess you just need it to work often enough.
It's like the fake "Allow Notification" dialogs on some sites. They look off to pretty much anyone paying attention, but their target market probably isn't people paying attention
It’s the same reason many iPhone apps implement their own dialogues to ask about allowing notifications. If the user chooses ‘Deny’ in the system-provided one, the app can never ask again and the only way to turn notifications on later is to have the user go digging around in the Settings app, which few people will bother to do.
I take great pleasure in choosing ‘Allow’ in those custom dialogues and then ‘Deny’ when the native one pops up immediately afterwards.
It can be more sinister. Although I am sure the other answers are right in some circumstances, I was curious a while ago, so I actually clicked one.
Whether you click allow or deny, it shot off a network request to a third party domain. This lets the third party know your browser's user agent, and if they have an exploit for your browser they will send a payload that compromises the browser with the intent of installing an adware extension.
It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did manage to navigate me to an advert from the click.
Safari has prevented websites from accessing nonstandard fonts as an anti-fingerprinting technique for a while now, so this script does not quite work for those.
A recent example that I've been seeing more and more is pages taking over some system keyboard shortcuts. I've seen pages taking over Command-F and using their own search interface instead of the browsers. I've found utilities for not messing with copy/paste, but is there a way to block pages with keyboard shortcuts in Chrome?
237 comments
[ 4.0 ms ] story [ 257 ms ] threadhttps://css-tricks.com/snippets/css/momentum-scrolling-on-io...
It’s just a proof of concept, focusing on one browser in one operating system. It would be interesting to see how well this could be done on iOS. The real host name is always shown at the top of the page, so it’s not going to be perfect.
doens't have to be perfect - just good enough to fool some people.
On mine (latest on iPhone 7 at the time of this writing) the site just says my browser doesn’t support the full screen API.
This attack is for sure nice and effective!
Another possibility would be to display a "collapsed" address bar, so that you can see that it is not the actual bar, but rather is another one.
But you could go to your own host and have your server sit in the middle. The user wouldn't be logged in, since cookies wouldn't be sent. But maybe they would login through your proxy.
Edit: it's happening kind of randomly. 1 time it happens, 3 times it doesn't...
Also this version wouldn't fool me because it says I have 26 tabs open. I'm used to the infinity symbol there!
I also disable the fullscreen API: set 'full-screen-api.enabled' to 'false'.
[0]: https://www.forbes.com/sites/daveywinder/2019/01/29/apple-co...
https://imgur.com/a/Pjybovf
An inception bar could include a fake refresh button, no?
Edit: saw in another comment that it's hardcoded, so it was coincidence. That makes sense.
On the other hand, scrolling to the very top of the page reveals the original address bar.
A possible mitigation would be to use a custom background or gradient for the bar that a web page can't guess. I'd be tempted to suggest the Google account's picture (if Chrome is logged in), but I don't know how safe that is from cross-site shenanigans.
This specific example may be new, but the concept of fooling users with websites containing images of the system's own UI is not new --- for example, all the fake antivirus alert boxes. That had a relatively easy mitigation --- using non-default appearance on your system (e.g. an XP-style "you have a virus!" dialog box image would just look silly if you weren't using XP with the default theme), but it seems the trend toward un-customisability is just going to lead to this being even more easy to exploit.
Of course, mobile browsers hiding important information and being even more un-customisable makes this worse.
Well, even I, as the creator of the inception bar, found myself accidentally using it!
When reading a product's documentation that has screenshots explaining how to do something, I've also accidentally tried to manipulate them instead of the actual dialogs. I'm sure others here have had similar experiences too.
Firefox is the pre-install default for most distros, and only Chromium is provided in default repos.
They're also significantly more likely to use some form of ad and JS blocking.
So until the appearance changes based on the UA and system theme (and maybe can read bookmarks and plugins), this trick mostly affects mobile Chrome users.
https://www.sitepoint.com/css-system-styles/
I couldn’t convince them that it was just a picture, and that I could fake it if I wanted to.
It worked quite effectively on 3.x because you could just minimize progman.exe
Frankly though, I preferred the actual BBC Micros and Amiga's that those IBMs were meant to replace.
Read peoples creds and store somewhere, then issue a 'wrong password' msg and exit, resulting in the real login message.
People will just assume they made a typo and continue as if nothing happened.
I've argued before for a genuine out-of-band independent display on machines which can only be written to by some very high privilege process.
Incidentally, this is why Face ID is strictly worse than Touch ID in my opinion.
https://www.wired.com/story/iphone-touch-id-scam-apps/
Touch ID with wet or slightly dirty fingers are not good. I've been doing some gardening over Easter and Touch ID is barely working because my fingers are more rough than they normally are.
Face ID on the other hand, works just as expected. It doesn't work optimally if I'm lying down, but that's not a problem for me personally.
Show a fake login prompt. Write down what gets entered, show wrong password and exit to real prompt.
Heh, I don't think so. Teachers don't like to send their pupils to court for silly things. They'd just get told why not to do it again and probably get some detention and stuff.
At a uni, the consequences might be more severe.
He busted me by booting up the system from floppy and typed in the commend to format the hard drive and waited for me to return to the lab after school. I asked him what he was doing and he said he had no choice but to reinstall from scratch because someone changed the password. He then moved to hit the Enter key.
Not wanting my fellow students to lose their projects, I confessed. I logged him in and he changed the password.
He then gave my account admin privileges. I guess I had earned them.
I kept silent about this until years afterwards for fear of being chucked out of college, which to be honest would've been a good thing seeing as the course was a waste of time.
If you ever wondered why you have to press ctrl-alt-del to log in, that is why (nobody ever fixed this for Linux).
Seems you're not familiar with Linux. It had SAK since forever.
It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
It works by killing everything on that particular terminal, no matter if it's text based or graphical. That's the whole point: whatever spawns after that is created by the init system.
> But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.
> It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!
I can guarantee you, if I were to copy the design of the login screen that shows up after you press ctrl-alt+del, 99.999% of people who don't work in IT won't bat an eye and enter their credentials straight away. It comes down to educating your users. If you don't explain your users why they have to press it before logging in, they will write it off as just random computer stuff they don't understand and only do so because they get prompted to do so. If next time around they don't, they don't care.
So it comes down to educating your users, and I could very well train them to press alt-print-k before logging in, whereas I agree that a friendly reminder on the login screen is a plus.
The idea is interesting, and it could've been puppies or some other corny wallpaper that did the trick.
Made me and my friend laugh.
Next session the teacher ask us to sit at the same computer, and after 20mn a guy come to me and ask « Are you pseudo ? »
Turns out that the computers really had viruses and they thought it was me !
They threatened to expel me (more to frighten me I think since they had no proof), and made me the cleaning guy for all the semester.
It gave me an undeserved reputation of the guy who hacked the university computers. And a better sense of caution.
I definitely had too much free time at the times. :)
Apparently Apple already reports your offensive photos already, can’t imagine why browsing should be treated differently.
How do you define this?
> Apple already reports your offensive photos already
What?
Same as every tech company do with tons of other spam types.
> What?
https://techcrunch.com/2017/10/30/no-iphones-dont-have-a-spe...
>> This analysis generally happens inside a sandbox, and very little of what the systems determine makes it outside of that sandbox. There are special exceptions, of course, for things like child pornography, for which very special classifiers have been created and which are specifically permitted to reach outside that sandbox.
Unsure what is Techcrunch's source for this but it kinda makes sense.
Autohide menu bars are bad designs, and you have this on top of that.
Fullscreen API must be removed from browser for security reasons, new window hints should be removed too.
This was meant as a joke, and I never actually went through with it. I know the person very well but it still felt douchebaggy. But the idea was to make an app file, save it to some seemingly legitimate folder, and adding it to the autostart list.
The trick to hide the thing was to drag and drop Safari's logo onto it, and naming the app "Safan": it almost goes unnoticed when checking the Activity Monitor, thanks to the system font's proportions.
I guess I could have named it Disk Memory Manager or some other important-sounding thing.
Shouldn't it be "Ceci n'est pas une UI."? Since interface is a feminine word in French, the article in front of UI need to be feminine too.
Edit: does work with a refresh
But I guess you just need it to work often enough.
Sites with fake dialogs in my experience ask again the next time you open the page.
I take great pleasure in choosing ‘Allow’ in those custom dialogues and then ‘Deny’ when the native one pops up immediately afterwards.
Whether you click allow or deny, it shot off a network request to a third party domain. This lets the third party know your browser's user agent, and if they have an exploit for your browser they will send a payload that compromises the browser with the intent of installing an adware extension.
It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did manage to navigate me to an advert from the click.
The best I can think of is that it does 2 things:
1. Preserves the "true" allow/deny prompt for a time when the user will allow.
2. Lulls the user into a sense of security. The page is nice and/or their browser will ask about anything the page tries to do.
It also needs to seem legitimate so people click it but don't report it.
Also I've seem some old ladies believing that a younger soldier from US needs help taking money out of %some country%.
A fake address bar, with a fake "look, I'm safe" mark on it? Yes, it'll do it.
I really think this should result in a permissions dialog from the browser.