This is a brilliant (and evil) method of monitoring user behavior without them necessarily even realizing what's going on. There are far more malicious applications you could use this for as well,...
This is a brilliant (and evil) method of monitoring user behavior without them necessarily even realizing what's going on. There are far more malicious applications you could use this for as well, and I'd be shocked if nobody else had ever thought of doing this.
It's yet another strong argument for using something like uMatrix or NoScript to keep as many scripts disabled as possible. Javascript is just too powerful in a lot of ways and opens up huge potential for abuse through methods like this.
It just goes to show how a seemingly minor issue (in this case hijacking the back button) can lead to huge security vulnerabilities. The technique could also be used (as they alluded to in the...
It just goes to show how a seemingly minor issue (in this case hijacking the back button) can lead to huge security vulnerabilities. The technique could also be used (as they alluded to in the article) to steal passwords from forms. For example imagine if you had the 'fake' Google page prompt users to reinput their account details.
I'm pretty savvy, I'm a professional developer. I'm pretty ashamed to admit just how much I'd trust the browser chrome without a second thought. I'd absolutely trust the back button and it's...
I'm pretty savvy, I'm a professional developer. I'm pretty ashamed to admit just how much I'd trust the browser chrome without a second thought. I'd absolutely trust the back button and it's unlikely I'd check the address bar after using it.
This is a brilliant (and evil) method of monitoring user behavior without them necessarily even realizing what's going on. There are far more malicious applications you could use this for as well, and I'd be shocked if nobody else had ever thought of doing this.
It's yet another strong argument for using something like uMatrix or NoScript to keep as many scripts disabled as possible. Javascript is just too powerful in a lot of ways and opens up huge potential for abuse through methods like this.
Shame he didn't responsibly disclose it. It's a good discovery but his approach may land him in some trouble.
He also mentions that this isn't the first time he's failed to disclose something responsibly.
Infosec is an exciting and potentially dangerous business. It's easy to get wrong. This guy may be about to learn that firsthand.
It just goes to show how a seemingly minor issue (in this case hijacking the back button) can lead to huge security vulnerabilities. The technique could also be used (as they alluded to in the article) to steal passwords from forms. For example imagine if you had the 'fake' Google page prompt users to reinput their account details.
I'm pretty savvy, I'm a professional developer. I'm pretty ashamed to admit just how much I'd trust the browser chrome without a second thought. I'd absolutely trust the back button and it's unlikely I'd check the address bar after using it.