1. 28
  1. 19

    “Reasons to have a weird desktop on linux #153”

    1. 8

      Feels like the real takeaway here was that allowing pages to open new windows unprompted was a terrible mistake from the beginning.

      1. 4

        Does it need to be a new browser window? I thought it was done by painting a window using Javascript?

        1. 6

          Which is right, but if browser’s wouldn’t be allowed to open a new window, this deception would seem alarming instead of natural behaviour.

          1. 3

            This pretends to open a new window, but the other comment is still fair. Consider it websites could never open new windows - there would always be two zones that don’t overlap: the web content zone and the browser frame zone. Users could (in theory) be trained not to trust anything in the web content zone since it might be fake.

            But when an overlapped window pops up, that line gets blurred. Something might be surrounded by a browser frame, yet itself legitimately be another trusted browser frame (the overlapping popup window). So it erodes that strict “don’t trust things inside this box*” rule.

            A while ago, there was a way to make a popup window with no extra browser frame. No url box, etc. That feature was removed for exactly this reason: without a browser frame, the separation of trusted browser vs untrusted content was impossible to determine. This OP demo shows it it is still difficult to determine.

            • unless you put it there yourself, overlapping windows are still a nice feature but if you put it there yourself vs a popup from the browser you’re more likely to know what it is.

            The good news is I’m pretty sure all popup windows still get a slot on the OS taskbar……. but with the recent Windows taskbars being transformed into useless application groupings instead of actual representations of open windows, that’s not much help to anyone except the eagle-eyed check-and-double-check everything user.

        2. 8

          A good side effect of using a password manager in the browser, is that it won’t be fooled by this. The user may of course override it by pasting in their password regardless – it is therefore necessary to train the users to always be extremely suspicious if the username and password isn’t autofilled/detected by the password manager.

          1. 2

            I’ve noticed a number of legitimate (Shopify?) e-commerce websites that prompt the user to enter their PayPal credentials directly into elements on the merchant’s website. It’s crazy that they’re encouraging this kind of user behavior.

            1. 3

              Or there’s Plaid, which has you enter the credentials for your bank and then the 2FA code into whatever app or website you are connecting.

              1. 1

                I’ve noticed a number of legitimate (Shopify?) e-commerce websites that prompt the user to enter their PayPal credentials directly into elements on the merchant’s website. It’s crazy that they’re encouraging this kind of user behavior.

                Crazy or not crazy, it depends on how willing you are to even entertain the idea of the current web as something sane.

            2. 8

              Oh my god I adore this. It sounds incredibly effective and I’d probably fall for it if I didn’t have a password manager, but the idea of pretending to open a new browser window is… endearing, somehow? I don’t know why but it reminds me of this really old Cracked.com piece on vampire squids:

              In the poorly lit surroundings this exposed black underbelly also cloaks the squid for a retreat, which it would totally do if hadn’t just eaten. It doesn’t want to get cramps, you know? So instead of running, it illuminates photophores set behind its eyes and slowly contracts them, giving the illusion of shrinking into the distance.

              Let us emphasize that it doesn’t actually run away. It is so profoundly lazy that it is already conserving energy for all of the floating it will be doing later. That’s like evading a knife-wielding maniac by doing one of those “walking down fake stairs” tricks before curling up and taking a nap behind the couch.

              1. 6

                So theming in window managers and operating systems can be considered a security feature?

                1. 7

                  Yes, not to mention using a tiled WM.

                  1. 2

                    Perhaps a security mitigation in the future is for every windows/osx install to by default configure a random color scheme to mitigate issues like this. Perhaps chromium and firefox will do it?

                  2. 6

                    Yet another reason we all should be using FIDO keys. (They generate a temporary token that’s unique per domain, so most phishing including this one won’t work. SMS 2FA and TOTP don’t have this property.)

                    1. 5

                      Too bad most websites stop at TOTP (and have the gaul to label it “Google Authenicator”). Heck my bank only supports SMS.

                    2. 4

                      Variants of this have been talked about for years, of course, going back to [1] in 1997 (a minor result in this case) and later in 2007 [2] showing this kind of trickery simulating window chrome in the browser. H/T to Steve Bellovin for digging these references out!

                      Hardware tokens seem like a silver bullet, but they pose their own UI/UX challenges, and not to mention the need for a workflow when people lose or forget the token… usually the part attackers would abuse.

                      For a very sophisticated attack, remember that the token itself does not know who it is talking to. If you know the rpId for a site and the key handle for a user’s enrolment, then subvert the browser’s controls… you can get the authenticator to sign any challenge. Hopefully that is a high enough bar to keep that out of the more mainstream realm though.

                      Still, bring on the hardware tokens and platform authenticators, it’s the best solution we have.

                      [1] https://www.drewdean.net/papers/spoofing.pdf [2] https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf

                      1. 3

                        The author could eliminate that last bit of “non-realness” by using text-overflow: ellipsis;.

                        1. 3

                          This reminds me of “chromeless” windows that were possible back in the early 2000s. There was a trend for making things like Flash websites that opened in popups without any window chrome, before fullscreen mode was a thing. All that got taken away because, aside from the mess of pop-unders and horrible accessibility, people were also using it to fake things like the Windows login screen to steal system passwords.

                          Some form or another of this gets rediscovered every now and then. The problem is there’s very little that can be done about it without some way to communicate with the user out-of-band. An on-screen pixel is just a pixel no matter who put it there.

                          Maybe what we need is something similar to Gravatars, which produce a pattern around OS windows that’s unique to each user and known only to the kernel. I’m sure eventually someone will find a way to trick users into taking a physical photo of their screen and upload it from their phone, but it would maybe buy us 2-3 years of increased security in the meantime.

                          1. 1

                            It’s not the first time I’ve this type of attack where the attackers draws false native windows.

                            In the future we might be able to compile a whole customized browser and have it run inside a web page. That will probably be very worrying from a security standpoint.

                            1. 1

                              All it needs to make it look real is to simulate Windows’s janky window-appear animation.