Browsers’ Interfaces Are Insecure

As browsers continue to add new features, many of them need to notify or request confirmation from the user. These notifications and dialogs are showing outside the browser interface and appear inside or overtop of the content window (considered to be untrusted since any content can be displayed by developers). This means that content developers can mimic these notifications easier and trick (or bait/phish) users into clicking or submitting information to dialogs that are not part of the browser.

A family member was recently subject to something very similar  last week. The browser was being forced into fullscreen mode. Popups were repeatedly sent to prevent being able to do anything else with the browser. Whenever I hit F11 to exit fullscreen mode, it immediately went back into fullscreen mode. At the same time the browser’s interface (address bar, tabs, bookmarks, etc.) could have been faked within that full screen browser tab. Since many browsers today use the same or similar technology to render their interfaces it can be easily mimicked using HTML & CSS. Luckily I was able to prevent the popups and close the browser window using Ctrl + W. An simple [may not be perfect] fix for this is to require requesting the user approve going to fullscreen in cases other than for the video tag – similar to how the user’s location must be requested.

These encroachments have security researchers worried because it means that none of the browser window can be trusted and phishing schemes / scams will likely become increasingly successful when the user believes they are interacting with the browser when they are really interacting with the content of a potentially malicious website.

http://www.theregister.co.uk/2017/01/19/browser_line_of_death/

Leave a Reply

Your email address will not be published. Required fields are marked *