1. 5
    1. 1

      History stuffing doesn’t look like that bad of a problem. The legitimate site or search you typed in is still the first result, and the one that I think almost all users will choose.

      Yes, the bad site can have a title like “CLICK HERE” or “free $20 coupon”, and that might entice users to click it in the autocomplete list. But I doubt that the users who might click it even read the autocomplete list. I’ve seen multiple people type out a full domain name even though the browser was suggesting it for them. And thus, if someone bothers to read the autocomplete list, they probably know that it just suggests sites with the keyword in the URL or title, rather than suggesting new, interesting sites to visit. And if they see “http://the-malicious-site.com/?domain=chase.com” in their suggestions, they would just think, “huh, I don’t remember visiting that page. Maybe it’s related to those utm= things I see in some URLs.”, then choose the first result.

      Is there some browser or user behavior I’m missing that makes this more of a problem?

      1. 1

        Consider a site that loads a hidden iframe that uses this tactic to stuff history from confusingly similar domains rather than “the-malicious-site.com”. A user might start typing “chase” in the browser bar to get to chase.com, but if a history-stuffed domain like “chaseinternetbanking.com” shows up, they might stop typing and just click on that one.

        [IDN homographs)[https://en.wikipedia.org/wiki/IDN_homograph_attack] might also be used, though I’m not sure how modern browsers are displaying those in the drop-down bar.