> "Users seldom read home page “fluff” and often look for things like testimonials, case studies, pricing levels and staff profiles / company information in search for credibility and trust. One of my upcoming tests will be to combine home page with “about us”, “testimonials”, “case studies” and “packages”. This would give users all they really want on a single page."
Shady tactics aside, this was interesting but could also have been measured by simply tracking his own website.
Thanks for posting this. I am increasingly frustrated with browsers' weak stance on user control. Hijacking back buttons, right clicks, copy functions, and other items has become quite commonplace and even expected. For example, YouTube puts some functions only in the right-click menu and TinkerCad's viewport rotation is primarily right-click and drag.
Presumably, this is in pursuit of making web pages behave more like apps, but it is truly frustrating. If I wanted app behavior, I'd install an app (even something like Chrome's apps). While I'm in a web browser on a web page, I expect to interact with the web browser primarily and the web page through the browser intermediary.
As a counterpoint, I don’t want to download apps when webapps suffice. I appreciate when a right click gives me the options I’m hoping for rather than a set of generic Chrome actions that aren’t what I want. I also appreciate when copying works how I want it to (e.g. copy paste in google docs or Figma work as I expect it to, including all styles). And hijacking browser history doesn’t seem to me like it adds much exposure, because the attack vector is still there without browser support (when a user enters your site, auto redirect to google.mydomain.com, which then auto redirects to your content. Back button now will return you to google.mydomain.com without relying on custom browser back button shenanigans)
Turn off JS except on whitelisted sites and you'll experience a saner web. Unfortunately even static text is often hidden behind such "app-site" monstrosities these days.
There’s nothing that infuriates me more than trying to read an article and suddenly being forced to either spam the back button or close the tab entirely.
I’m usually not interested in social engineering which I think is boring stuff, but I think that (1) this is a weakness on my part as a developer with something of a security focus, and (2) this is perhaps the perfect sweet spot of social engineering and programming.
It is an utterly fascinating takedown of the back button hijack. Totally unethical but also very eye-opening for me.
Is this kind of back button hijack and history rewriting still possible in modern browsers? Edit: this link leads me to believe this may still be possible: https://developer.mozilla.org/en-US/docs/Web/API/History - would love a confirmation.
The quote from a security researcher at the end treats this like a vulnerability.
If this were early days of the web, I'd agree, but web browsers allow so many other shady tactics, this feels more like the web working as intended.
(Yes, phishing attacks are bad, but the browser back button spec is specifically designed to allow these sorts of shenanigans, with basically zero legitimate use cases -- the only use case I can think of is telling the browser certain actions should not push themselves onto the back button stack).
> with basically zero legitimate use cases -- the only use case I can think of is telling the browser certain actions should not push themselves onto the back button stack).
I agree on the "legitimate" part, but I suspect one of the main reasons is that Google and Apple both really want people to be creating SPAs that pretend to be real apps, and that's hard to do without being able to hijack the back button for navigation.
Middle mouse button click for any link. I don't remember the last time I used back. Just open and close tabs based on what I want to do. I learned this during research methods in graduate school as a way to avoid losing valuable studies while working on the various archaic databases, and it stuck. I know every graduate student at my university learned the same thing.
In a similar way that I choose to use backspace vs ctrl+z, I may use the back button or open a new tab (or duplicate tab, then go back), depending on if I want to keep current context or discard my current work.
It's not true that researchers always do a minimal PoC. I've seen soo many people release fully weaponized attack toolkits, ostentibly for red teams etc., that then end up being abused by actual attackers. These are not just PoCs, but ready-to-reuse, universal toolkits.
OTOH, sometimes a harmless PoC isn't enough to induce action, and a proper attack PoC does. I think this may be such a case.
As much fun as it is seeing everybody reiterate the "SPAs are stupid and we should all go back to native apps" argument for the thousandth time with exactly the same arguments again...
It's all a moot point, because you can reproduce this particular attach using nothing but 2001-era DHTML. Start with a page that has a hidden iframe, a link that targets it, and a timer that polls the contents of the iframe. When the page first loads, use JS to click the link to add a new item to the back stack. If clicking the link with JavaScript doesn't add a back stack item, make the link visible, but also attach an onclick event handler to it so that the link can simultaneously do what you want and also do what the victim wants.
After you've poisoned the back stack, you can detect that the user clicked "back" when the iframe gets reset back to its initial page. Once this is done, use `document.body.innerHTML = whatever` to set up your fake SERP.
This attach is similar to linking to g00g1e.com and setting up a mock page there. Impersonating sites is going to be hard to secure technically at all.
Am I missing something? This “hack” requires you to go to his site first, then use the back button and then click on a (fake) competitor link. How is he ever going to get people to his site in the first place? And if it’s through paid ads, why not create a fake paid ad that directs you straight to his fake site in the first place? All sounds very much like a marketer who uses the veil of “security researcher” to hide a scam.
> later used it to mess with conspiracy theory people
I always find it funny how these hackers grasp for some othered group that they can justify mistreating. If you're gonna be a hacker stop pretending that you're a moral being and accept what you are
I despise sites that hijack my back button (No, I don't want to check any of these DENTISTS HATE THIS MOM'S NEW TRICK clickbait articles thanks) so I can't say I'm surprised there are malicious uses for it, but wow!
We actually had an accidental back button hijack at a place I used to work at. It was an SPA, where if you navigated to / it would check if you were logged in. If so, you would be redirected (client-side) to /home, otherwise you were sent to /login. This was done with pushState() instead of replaceState(), so going back from /home would take you to / which would immediately see that you were logged in and send you back to /home.
Unfortunately, the feature itself is vital for making web apps work in anything like a coherent fashion, so it isn't something that can be disabled (though there may be meat on the bones of permission-gating it).
[+] [-] O__________O|3 years ago|reply
Examples of press on topic:
https://valleywag.gawker.com/how-a-hacker-intercepted-fbi-an...
https://www.theverge.com/2014/2/28/5458610/fake-google-maps-...
[+] [-] josefresco|3 years ago|reply
Shady tactics aside, this was interesting but could also have been measured by simply tracking his own website.
[+] [-] rhplus|3 years ago|reply
Perhaps his competitors were established, trusted brands, whereas his is one that hijacks back-buttons to trick his own customers.
[+] [-] chrismorgan|3 years ago|reply
[+] [-] placatedmayhem|3 years ago|reply
Presumably, this is in pursuit of making web pages behave more like apps, but it is truly frustrating. If I wanted app behavior, I'd install an app (even something like Chrome's apps). While I'm in a web browser on a web page, I expect to interact with the web browser primarily and the web page through the browser intermediary.
The Line of Death discussion is highly relevant: https://news.ycombinator.com/item?id=13400291
[+] [-] chrisshroba|3 years ago|reply
Disclaimer: I work for Figma.
[+] [-] userbinator|3 years ago|reply
[+] [-] Slurpuff|3 years ago|reply
There’s nothing that infuriates me more than trying to read an article and suddenly being forced to either spam the back button or close the tab entirely.
[+] [-] ummonk|3 years ago|reply
[+] [-] fazfq|3 years ago|reply
If you double-right-click (huh) you can see the "normal" menu. If you use Firefox you can shift-right-click also.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] yamtaddle|3 years ago|reply
Ever letting Javascript initiate requests on its own was a mistake, to pick one major blunder.
[+] [-] avg_dev|3 years ago|reply
It is an utterly fascinating takedown of the back button hijack. Totally unethical but also very eye-opening for me.
Is this kind of back button hijack and history rewriting still possible in modern browsers? Edit: this link leads me to believe this may still be possible: https://developer.mozilla.org/en-US/docs/Web/API/History - would love a confirmation.
[+] [-] tomcam|3 years ago|reply
[+] [-] hedora|3 years ago|reply
If this were early days of the web, I'd agree, but web browsers allow so many other shady tactics, this feels more like the web working as intended.
(Yes, phishing attacks are bad, but the browser back button spec is specifically designed to allow these sorts of shenanigans, with basically zero legitimate use cases -- the only use case I can think of is telling the browser certain actions should not push themselves onto the back button stack).
[+] [-] bogwog|3 years ago|reply
I agree on the "legitimate" part, but I suspect one of the main reasons is that Google and Apple both really want people to be creating SPAs that pretend to be real apps, and that's hard to do without being able to hijack the back button for navigation.
[+] [-] ysavir|3 years ago|reply
[+] [-] daveidol|3 years ago|reply
[+] [-] dmingod666|3 years ago|reply
[+] [-] Loughla|3 years ago|reply
I also assumed most people did this.
[+] [-] avg_dev|3 years ago|reply
[+] [-] bentcorner|3 years ago|reply
[+] [-] paulcole|3 years ago|reply
Just like there’s a lot of people who would never send money to a prince from Africa. A lot of people will…
[+] [-] warent|3 years ago|reply
[+] [-] tgsovlerkhgsel|3 years ago|reply
OTOH, sometimes a harmless PoC isn't enough to induce action, and a proper attack PoC does. I think this may be such a case.
[+] [-] jonplackett|3 years ago|reply
[+] [-] notriddle|3 years ago|reply
It's all a moot point, because you can reproduce this particular attach using nothing but 2001-era DHTML. Start with a page that has a hidden iframe, a link that targets it, and a timer that polls the contents of the iframe. When the page first loads, use JS to click the link to add a new item to the back stack. If clicking the link with JavaScript doesn't add a back stack item, make the link visible, but also attach an onclick event handler to it so that the link can simultaneously do what you want and also do what the victim wants.
After you've poisoned the back stack, you can detect that the user clicked "back" when the iframe gets reset back to its initial page. Once this is done, use `document.body.innerHTML = whatever` to set up your fake SERP.
[+] [-] quickthrower2|3 years ago|reply
[+] [-] dmkii|3 years ago|reply
[+] [-] larsrc|3 years ago|reply
[+] [-] erpellan|3 years ago|reply
[+] [-] carrotcarrot|3 years ago|reply
I always find it funny how these hackers grasp for some othered group that they can justify mistreating. If you're gonna be a hacker stop pretending that you're a moral being and accept what you are
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] huitzitziltzin|3 years ago|reply
[+] [-] TonyBar|3 years ago|reply
[+] [-] neuronflux|3 years ago|reply
[+] [-] jcims|3 years ago|reply
[+] [-] Abecid|3 years ago|reply
[+] [-] Arrath|3 years ago|reply
[+] [-] veddan|3 years ago|reply
[+] [-] shadowgovt|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] z3t4|3 years ago|reply
[+] [-] toxicFork|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]