Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?
This is your opportunity to ask questions. No question too simple or too silly.
Culture war topics are accepted, and proposals for a better intro post are appreciated.
Jump in the discussion.
No email address required.
Notes -
Hoping early Monday isn't too late for a small-scale question, so here goes:
In the wake of a friend falling victim to a phishing scam in which they were convinced to send a screenshot of a link to a password reset page (indeed, head-slappingly bad), I'm currently being dragged in real life for my hot take, two-part opinion that
This scam was facilitated by the common advice that you should NEVER follow links because they could be from a hacker and then you will get hacked! and
This advice isn't actually very good, in the sense that nothing bad can really happen to you just from following some random link.
As a web developer I know something about how the web works, but obviously I don't know everything, so I'm curious if someone else can come up with a really bad outcome achievable just by clicking on a link. Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?
Anyway, like I said, suggestions welcome.
You gotta understand the zero-day market a little to understand how that works.
Ideally, it's impossible for just loading a webpage to do anything bad. Web browsers are massively complex pieces of software though, and they basically all have lots of bugs that render the situation non-ideal. Web browser vendors make active efforts to be aware of any such bugs as quickly as possible, and patch them and get those patches out as quickly as possible, hence things like Chrome's rapid update rate. A "zero-day" bug/exploit basically means a way to escape the web browser sandbox that the browser vendors / security community are not aware of yet. Once they are aware of them, they are often patched within days or hours.
Creating new exploits is very difficult and highly valuable due to how useful they can be against the right targets. But since efforts to discover exploits actively in use and patch the bugs they use are so active, it is also valuable to those who create and own them to not use them too widely - as soon as the right person notices them, they can be patched very fast, making that one worthless. They are generally created by national intelligence agencies, some shady companies and less scrupulous individuals, and may be either sold back to browser vendors, for 5-6 figure sums, or to those companies, criminal gangs, etc for probably similar or higher sums. It is to the benefit of such entities to not use them too widely, since they'll be worthless as soon as the wrong person notices them, so they're usually used in highly targeted attacks against specific individuals, and engineered to not be deployed unless the situation is right. Wider targeting probably only happens as a last-ditch effort to get a little more value out of something already patched, hoping to catch some users who haven't updated their browsers yet with a low-value but wide-net attack.
So ideally just going to a website shouldn't hurt anything, but it's probably good advice not to. Because 1. It does leak some information no matter what, 2. Less sophisticated users, or just people who are tired or distracted, can surprisingly often be tricked into entering credentials into phishing sites, and 3. You never know when you might be targeted for attack by something nasty, or not be the intended target but get it anyways, or just be the guy who had the bad luck to have the browser auto-patch run a little later than usual.
More options
Context Copy link
More options
Context Copy link