Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?
This is your opportunity to ask questions. No question too simple or too silly.
Culture war topics are accepted, and proposals for a better intro post are appreciated.
Jump in the discussion.
No email address required.
Notes -
Hoping early Monday isn't too late for a small-scale question, so here goes:
In the wake of a friend falling victim to a phishing scam in which they were convinced to send a screenshot of a link to a password reset page (indeed, head-slappingly bad), I'm currently being dragged in real life for my hot take, two-part opinion that
This scam was facilitated by the common advice that you should NEVER follow links because they could be from a hacker and then you will get hacked! and
This advice isn't actually very good, in the sense that nothing bad can really happen to you just from following some random link.
As a web developer I know something about how the web works, but obviously I don't know everything, so I'm curious if someone else can come up with a really bad outcome achievable just by clicking on a link. Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?
Anyway, like I said, suggestions welcome.
Yeah, it shouldn't matter, but if a site has e.g. an XSS vulnerability the attacker will need to be able to run some initial Javascript as the victim to kick it off. Sending an email so that they'll visit a specific page might be just that.
Attackers can host exploit kits on the target site, which spray a bunch of exploits against your computer if you visit them. If your browser/plugins/extensions/OS isn't fully up to date this might very well successfully install malware. This was really relevant when I worked in IT security about 6 years ago but seems to have declined a lot recently; still, it shouldn't be dismissed out of hand quite yet.
Thanks for this, I hadn't heard of Exploit Kits before. That said, the vulnerability seems to come from the used-to-be-common experience where a browser would open an Adobe plugin or whatever, something which is uncommon-to-nonexistent nowadays. In the Wikipedia article the first source they site explaining what Exploit Kits are is an article from 2013!
I did ask for what's possible in the worst case scenario, so fair enough, but I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software. I guess this is another stupid question, but do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.
Yeah. Any time there's a zero-day exploit for a browser you can be sure that attacks will start using it fairly quickly. For example, cursorily searching online I found an example of two from last year targeting Chrome in the wild.
Edit: Here's another relevant article, from this year: "Google Patches Third Actively Exploited Chrome Zero-Day of 2022"
I'd say Flash and Java are completely dead for any moderately recent website, yeah. Still, computers might have the plugins installed; perhaps for some internal corporate website that will never been updated. Other than that, I'd guess the Adobe PDF plugin should be fairly common too.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link