Tuesday, August 3, 2010

The Next Web uses cheap JavaScript hack to fool you into installing an extension, heralds new age of phishing attacks

Filed under: Security, web 2.0, Browsers
Update: The Next Web has now removed the JavaScript alert bar. Hooray!

You may recall a couple of months ago when I falsely reported on what I thought was a new feature of Chrome. It was admittedly kind of neat: I thought websites could link themselves to a Chrome Extension, and pop up an alert at the top of your browser if you hadn't installed it.

As it turned out, it's just a cheap JavaScript hack that looks just like an official Chrome alert. I had hoped that I wouldn't see it again, but of course that was too much to ask of the Internet. As of today, The Next Web is now using it on every single one of its pages. Click through, check it out -- I'm sure they'll appreciate the extra ad impressions.

For a technology blog, TNW displays disgustingly little foresight. This bar is, in effect, an updated phishing or rogue malware attack. You all know the type: that pop-up that claims to scan your hard disk for viruses but actually installs a bunch of Trojans.

Does TNW not realise that you could make this bar link to a nefarious domain that looks exactly like the Chrome Extensions website? TNW's intentions might be benevolent, but with such high profile use of this JavaScript copycat, I guarantee that phishers and malware writers will soon be using this bar for the forces of evil.

Wouldn't it be easy to change the appearance of the bar so that it's obviously not part of the browser? How about making it pink, or changing the logo on the left to something distinctly un-Chromeish?

TNW has just opened a smelly kettle of fish -- and from now on, I suggest you all read your Chrome alerts carefully before clicking.

tweetmeme_url = 'http://www.downloadsquad.com/2010/07/13/the-next-web-javascript-hack-chrome-extension-phishing'; tweetmeme_source='DownloadSquad'; tweetmeme_style = 'compact'; Share The Next Web uses cheap JavaScript hack to fool you into installing an extension, heralds new age of phishing attacks originally appeared on Download Squad on Tue, 13 Jul 2010 12:00:00 EST. Please see our terms for use of feeds.Permalink | Email this | CommentsGRUPO IUSACELL HARRIS HCL TECHNOLOGIES
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)