Or why browser history IS VERY BAD.
I’ve put together this quickie demo. Go there. If you haven’t been to PayPal recently you’ll be asked to go there. Click on the link, then come back. You’ll now see a red bar across the screen which tells you your last PayPal transaction is revoked and you should click on the provided link to fix it.
This is a 100% CSS-based social engineering attack. It works in IE7, Firefox and Opera (and I assume Safari as well as any other modern browser). And because you only see this message if PayPal is in your browser history the chance that you’ll take this message seriously is certainly increased.
Now this is just a quick hack. With a bit of CSS hacking you could get it working in older browsers. You could also easily style the message that appears to look like a legitimate alert box dressed in the proper OS widgets or maybe as a toolbar message that’s part of the browser (like the alerts that pop up if you’re using NoScript).
There is a bit of javascript here in that it tries to mask the link you’re clicking on with the old window.status trick. But the meat and potatoes has NO JAVASCRIPT. This means that even with NoScript installed you’re still susceptible to something like this.
Now keep in mind this, in and of itself, is not a complete example of a typical social engineering attack that you might encounter on the web. It’s simply a demonstration of an extra layer that’s available to a malicious web site operator (or someone who’s cracked a vulnerable web site).
This is also a very crude example. A more clever person could have several dozen links being checked for with each producing one or two sentences that, when put together, create a kind of story to give the user to help gain their trust; that the link they’re being asked to click is legit.
On the flip side a kind web site operator might provide a list of links in their navigation element to sites the user has already visited and hide those links they haven’t visited (or vice versa) to better cater to their needs.
There’s lots of GOOD things you could do with this, but it opens a door to these social engineers that we can easily close with little (if any) impact on us by simply disabling browser history.
Thanks for the alert Eric!
I tried this in both FF 3.0.1 and Safari 3.1.2. I went to PayPal through your link and came back, even reloaded, but it didn’t work, no red bar across the screen.
But I will certainly disable browser history. Never use it anyway.
Odd. I’ve tested (and just re-tested) Firefox 3.0.1 and it works fine as long as browsing history is enabled.
That’s FF 3.0.1 on a Mac, I tied it twice before posting the comment, and browsing history was enabled. I disabled it now though :)
Perhaps it’s something to do with my Asian location?
Possibly. Does PayPal redirect you to a different domain like paypal.jp or something other than paypal.com?
The PayPal link your test uses takes me to paypal.com in my address bar, and I don’t notice any local PayPal addresses redirects in the status bar. Not to worry. Thanks for the warning to disallow browser history.
Scary just how much a web site can gain from reading you history file. Definitely glad my history is switched off.