Take a look at the below screenshot from Safari for iOS. What website am I on?
Based on the contents of the page, I’m clearly on the NYTimes website, but based on the address bar I’m clearly on google.com. If I click in the address bar I see https://www.google.com/amp/s/www.nytimes.com/2020/05/22/technology/google-antitrust.amp.html, but if I click LOG IN on the page I go to nytimes.com/*.
To be blunt, this is a really dangerous pattern: Google serves NYTimes’ controlled content on a Google domain. It confuses the user whether to trust the address in URL bar or the content of the page. This confusion is precisely why phishing attempts work so well. Humans trust visual indicators a lot. Google, with the AMP Cache Project, is confusing humans more and training them to trust visual content of the page over the URL in the address bar. This surprises me since Google spends a lot of time researching visual indicators of security in the address bar (like the padlock icon).
from Hacker News https://ift.tt/2NVNOjo
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.