top | item 38870337

(no title)

WallyFunk | 2 years ago

Interesting project. One thing I noticed: when I clicked the button, a fullscreen window got spawned, without any prompt asking me if I should enter fullscreen (Latest Firefox). On a sidenote: this could be used for browser-in-the-browser attacks[0] where someone could present a mock browser UI with a fake URL.

Other than that, it's a great project. Anything to just sit without distractions gives us an unfair advantage over the majority of the world's population who are addicted to phones.

[0] https://mrd0x.com/browser-in-the-browser-phishing-attack/

discuss

JoshTriplett|2 years ago

Browsers allow entering fullscreen as long as it's in response to user input, such as clicking a button. When entering fullscreen, browsers emit a prompt about exiting fullscreen, partly to make sure people know how to exit and partly to make sure entering fullscreen doesn't go unnoticed. So, it'd be hard to pull off such an attack.

odensc|2 years ago

> So, it'd be hard to pull off such an attack.

That's what you'd think, but people rarely pay that much attention. The fullscreen prompt only shows up for a few seconds.

For example, recently a family member clicked on a fake YouTube link from an ad in Google's search results. Clicked the search bar and it immediately turned their whole screen into a "call apple support" popup.

They called me up because they thought it was a virus, but really it was just a fullscreen webpage, and being not very technologically inclined, they didn't even try Esc, Cmd+Tab, Cmd+Q, etc.

atahanacar|2 years ago

>So, it'd be hard to pull off such an attack.

How many people actually read prompts? People literally share 2FA codes with scammers over the phone even though the SMS itself tells them not to share it with anyone, including their own support workers.

MrYellowP|2 years ago

This post turned out to be wildly off-topic to the actual topic, but it's relevant for this subthread of the conversation and I've written so many words already that so I might as well post it:

I believe that fullscreen notification got implemented exactly because of people not noticing their browser went into fullscreen mode.

I agree with some other poster, that it's unreasonable to assume that a majority of people would actually read the message. Luckily, though, that's not actually necessary. It's enough for them to notice that there was something fading away. Something unexpected happened.

Now it gets interesting: Regardless of people actively reading "Press [Esc]", as long as it was within their vision, their brain would still process it anyway.

This means that, in the state of confusion caused by the fading text, they'd be wondering "what just happened?" and their brain would execute the command "press [Esc]" regardless of the text being actively read or not.

The state of confusion causes the input to go right through, getting it executed, causing the user to press Escape.

That's a really fucking neat confusion technique!

PS: I'm not good at linking to topics so people gain better understanding, but I'll just read through some until I find good ones.

Milton Erickson's confusion technique. ( https://www.scribd.com/document/179357099/Milton-Erickson-TH... )

Quora's ChatGPT ( https://www.quora.com/What-is-a-simple-pattern-interrupt-con... ) has a few good lines to write about a confusion technique called "pattern interrupt".

This one here ( https://www.sciencedaily.com/releases/2007/09/070912124017.h... ) is interesting. They either pretend, or are unaware of the fact, that they are using a confusion technique to program the client.

JohnFen|2 years ago

> when I clicked the button, a fullscreen window got spawned, without any prompt asking me

This behavior is a pet peeve of mine. I almost never want anything to be fullscreen, and it's extremely irritating when applications or, especially, if a website makes the browser do it.