A leading developer of Firefox has warned of a sneaky potential new form of phishing attack. Aza Raskin, the creative lead for Firefox, explains that the approach exploits the fact that most surfers keep many tabs open during a browsing session, without really keeping track of what sites they have visited. The so-called …
Opera, presumably without any knowledge of this particular attack seeing as I'm not using a "snapshot" version, just the last regular update, does the best that you can expect - the title bar changes to "Gmail" (but then you can hardly regulate titlebar changes!) but the printed URL in the address bar and the favicon stay identical to the version which "loaded" originally.
Though it is more interesting than most of these techniques, again it only fools the unwary who have been and always will be at risk because they don't bother to check things properly. If people don't check for padlocks / green security bars / etc. then they are stuffed anyway. 99% of people *don't*. And if you just ignore security certificate warnings or click Yes, then you're stuffed too.
Follow the oldest rules of all: If you want to log in to GMail, type in www.gmail.com into your browser. Don't click a link. If something asks you to "login again", check it thoroughly, no matter if you "thought" you were logged in already. (Incidentally, the latest Opera stable plays merry hell with the Register logins and I'm constantly being asked to re-log-in).
About once every six months or so GMail asks me to log in again, and that freaks me out and I have to check why. And even the Google Adsense thing (which asks you to login but also has a "Click here if you're a Google Account user" link) arouses my suspicions immediately because I should damn well already be logged in so the sight of some login boxes makes me suspicious.
And those people who *don't* work like that should be using their browser's privacy features like autologin on sites because that way their details WON'T be automatically plugged in on anything but the sites they were intended for, and hence you will "spot" these problems quicker.
It's interesting, will likely catch a LOT of people out, but it's nothing that hasn't always been possible, and nothing you can really "fix" except by whacking people around the earhole.
... seems to block this attack. Does this mean I don't need to worry about it?
NoScript will block this kind of attack as long as you don't allow scripts on the "bad" host, but if someone hacked a trusted site, then this type of attack wont be blocked.
> NoScript seems to block this attack. Does this mean I don't need to worry about it?
Only if you do indeed run NoScript, glasshopper.
Doesn't work here
The RequestPolicy extension prevents this attack working properly, when it tries to display the GMail stuff all I get is a blank page.
Any other scheme is treating a symptom instead of the root cause of the malady.
"But my websites will have less shiny" you say.
"A proper web design doesn't need stupid client side tricks to get you to interact with the site, and you sure as hell don't need this pox-causing language *or* the nitwit "programs" that are written in it on your computer in order to buy shoes, books or tat off eBay" sezzeye.
You know it makes sense.
Redirections are evil anyway
just block them.
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain BT Tower is just a relic? Wrong: It relays 18,000hrs of telly daily
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- Review: Sony Xperia SP
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know