Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
The Next Web uses cheap JavaScript hack to fool you into installing an extension, heralds new age of phishing attacks
You may recall a couple of months ago when I falsely reported on what I thought was a new feature of Chrome. It was admittedly kind of neat: I thought websites could link themselves to a Chrome Extension, and pop up an alert at the top of your browser if you hadn't installed it.
As it turned out, it's just a cheap JavaScript hack that looks just like an official Chrome alert. I had hoped that I wouldn't see it again, but of course that was too much to ask of the Internet. As of today, The Next Web is now using it on every single one of its pages. Click through, check it out -- I'm sure they'll appreciate the extra ad impressions.
For a technology blog, TNW displays disgustingly little foresight. This bar is, in effect, an updated phishing or rogue malware attack. You all know the type: that pop-up that claims to scan your hard disk for viruses but actually installs a bunch of Trojans.
Does TNW not realise that you could make this bar link to a nefarious domain that looks exactly like the Chrome Extensions website? TNW's intentions might be benevolent, but with such high profile use of this JavaScript copycat, I guarantee that phishers and malware writers will soon be using this bar for the forces of evil.
Wouldn't it be easy to change the appearance of the bar so that it's obviously not part of the browser? How about making it pink, or changing the logo on the left to something distinctly un-Chromeish?
TNW has just opened a smelly kettle of fish -- and from now on, I suggest you all read your Chrome alerts carefully before clicking.
Comments
19
Subscribe to commentsredringsJul 13th 2010 12:28PM
I would suggest that you always carefully read any alert from any program before clicking, maybe that's just me.
himanshuJul 15th 2010 2:21PM
I am an Indian user and I didn't see any such notifications on my Chrome browser. May be it is country specific or now they have removed it.
ZeeJul 13th 2010 12:38PM
you should know that we added that this morning, it was built by the the guys at idiomag.com as is the javascript. Once we realised that it could potentially confuse or "trick" people we removed it.
Class act you've got here btw.
Sebastian AnthonyJul 13th 2010 12:39PM
*tips hat* I let you know beforehand! Only the finest treatment for Sir Zee.
216Jul 13th 2010 1:07PM
I've seen this alert on a few different pages across the web, and I was assuming it was a Chrome feature. But I definitely don't hit install
Andy GrattonJul 13th 2010 2:01PM
'The Independent' newspaper in the UK does the same thing... http://www.independent.co.uk/
Sebastian AnthonyJul 13th 2010 3:24PM
Yeah, that was where I initially saw it!
CsulokJul 13th 2010 2:02PM
huffingtonpost does this too
Sebastian AnthonyJul 13th 2010 3:26PM
Ach! It's spreading!
At least they changed the logo on the left to an 'H', though :)
Sebastian AnthonyJul 13th 2010 3:24PM
So I see! At least theirs doesn't look like a built-in Chrome thing :)
Teresa McGurkJul 13th 2010 3:44PM
10 points for "smelly kettle of fish" and 5 for "unChromeish."
Thanks!
Sebastian AnthonyJul 13th 2010 3:59PM
Thanks! I wasn't quite sure how to render unChromeish... but it looks kinda cool like that, eh? :P
Teresa McGurkJul 13th 2010 4:44PM
yep -- so much better than unChromeworthy, which is kind of a value statement rather than a statement of fact.
(The other adjective would be unChromeitudinous, but that's only for the pedants, with the noun unChromeitudinosity. Way too pompous).
Sebastian AnthonyJul 13th 2010 4:54PM
*files those away for future use*
BarryJul 14th 2010 12:33PM
One thing to notice is the scrollbar is beside the bar. A real notification bar exists above the scrollbar. (ie its above the page rather than part of the page)
Sebastian AnthonyJul 14th 2010 12:36PM
Very good tip :)
JamesJul 15th 2010 10:31PM
Quick check: Firefox has an explicit whitelist for domains that are allowed to provide extensions, and makes a very clear "you can't install extensions from notmozilla.com; click here to add to the whitelist" popup when you try. Doesn't Chrome do the same thing?
Sebastian AnthonyJul 16th 2010 6:41AM
There are some security checks, but this isn't an extension install link! It just links through to the official Chrome Extension site :)
jacop.andersonOct 3rd 2010 1:24PM
For a technology blog, TNW displays disgustingly little foresight. This bar is, in effect, an updated phishing or rogue malware attack. You all know the type: that pop-up that claims to scan your hard disk for viruses but actually installs a bunch of Trojans.
Cheap UK Mortgages