|f.kapnist||3/29/09 6:07 PM||<This message has been deleted.>|
|f.kapnist||3/29/09 6:33 PM||<This message has been deleted.>|
|Re: Here is a fake "Chrome Status Bar" exploit example||JECShack||3/29/09 10:46 PM|
Very nice. This is the same thing for graphic ads with a non-popping (and sometimes vibrating) XP, loading bars, Windows Live invitations and more.
I don't think it's necessary for them (the developers) to change the status bubble. :]
But it's interesting nonetheless.
|Re: Here is a fake "Chrome Status Bar" exploit example||kevinstonge||3/30/09 1:23 AM|
Thank you f.kapnist. I do think that this is a valid concern (although not a terribly big threat). Unfortunately, I'm not sure if there is any way Chrome can fix this issue without bringing back the old fashioned status bar (which I don't particularly want them to do). Perhaps they could ADD code to show a short message whenever an 'onmouseover' event is triggered.
I will explain why I don't think this is a huge problem: I'm not likely to navigate to my bank's website (or any other sensitive site) via a link on a third party website.. that would just be silly of me. Nevertheless, I do find the statusbar text to be valuable and useful, and it is unfortunate that it can be spoofed so easily.
Thank you for writing this code, hopefully some good will come of it.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/30/09 8:31 AM|
RE: it's not an actual URL
It isn't an URL, but it can steal passwords and send them via cookie to unauthorized
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/30/09 8:33 AM|
RE: the old fashioned status bar
As long as the Chrome Status Bar overlaps the page content, someone can mimic a fake lookalike. I'd like to see the Status Bar somewhere outside of the page's content. It can even popup at the top of the browser, why not?
|Re: Here is a fake "Chrome Status Bar" exploit example||Shawn (Googler)||3/30/09 11:51 AM|
Thanks Peter for voicing your concern and for the demo. The status bar was never intended to be a security indicator and we've gone through measure to make sure that nothing can be done to change the actual status bar. But there's possibly more that can be done to educate users to look at valid security indicators like the address bar or the lock icon and dialog.
Thanks all for your feedback.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/31/09 7:12 AM|
Shawn: The only flaw I really see in Chrome is its lack of "Select All" on the right click menu when not in a text box. To see how incomplete it is, try copying this entire page and paste it into your Notepad. Either you have to drag your cursor over everthing from the top of the page to the bottom, or you have to remember what the Windows keyboard shortcuts are.
|Re: Here is a fake "Chrome Status Bar" exploit example||Dejan1024||3/31/09 7:30 AM|
I expected you will make this one :)
However, with you "fake mouse over" you forgot to include a link that goes somewhere, so you can see Chrome's status bar show over the fake one. So you can't fake link addresses in status bar.
As for the "loading message" faking, that is plausible... but again, you need to click a link in order to start loading :) Besides, as you said, "you would have to be pretty unexperienced to fall for a status bar spoof".
On a side note: "Select All" keyboard shortcut is worth remembering. Copy/Paste, Slect All, Find, are the shortcuts everyone should know.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/31/09 2:20 PM|
Dejan1024: Re: with you "fake mouse over" you forgot to include a link that goes somewhere.
Look, I don't have time to fiddle with other's problems. I could easily have made the fake link open a hidden element designed to look like another new page (with style.display="block"). But as I said it was a crude example. Anyway the real URL is at the top of the browser in the address bar. But some people might not look for it.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/31/09 2:22 PM|
Dejan1024: I do know the Select All shortcut. But I have to remove my eyeglasses every time to see my keyboard. And I use Select All dozens of times during my work.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/31/09 2:39 PM|
Dejan1024: A clever hacker would design a page that NEVER evokes the Chrome status bar! The page would not link anywhere, yet it would appear to with its own fake status bar info and some hidden elements that make you think you are loading a new "bank-account" page. The object of such a spoof would be to steal your password. I think the top address bar could also be made to show an URL that isn't actually loaded by using an iframe with a similar domain name using non-Latin characters. But if the Google status bar stays off the webpage content it cannot be imitated by a deceptive lookalike. No headaches. It is a simple, time-tested solution. You can't improve on the 360 degree circle, guys. Stay off web page real estate and everyone wins.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||3/31/09 3:13 PM|
Dejan1024: THE PART THAT REALLY GETS ME IS THIS: right click on this page (or any page) and select "View page source." When the source code loads there is still no Select All function! Someone was asleep at the wheel if its not easy to select and copy source code !! zzzz
|Re: Here is a fake "Chrome Status Bar" exploit example||Mohamed Mansour||3/31/09 6:44 PM|
|Re: Here is a fake "Chrome Status Bar" exploit example||chrisj||7/16/09 2:03 AM|
Here is another version of the exploit with a video demonstration:
I really think the Google Chrome devs should watch this and see how real the possibility for social-engineering exploitation is when executed properly.
|Re: Here is a fake "Chrome Status Bar" exploit example||f.kapnist||7/16/09 8:17 AM|