this post was submitted on 14 Sep 2024
1334 points (99.0% liked)

Technology

59091 readers
5160 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
1334
Be careful. (feddit.org)
submitted 1 month ago by [email protected] to c/[email protected]
175 comments fedilink hide all child comments
 

Source.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 184 points 1 month ago* (last edited 1 month ago) (2 children)

It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. ~~On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.~~

@SkaveRat pointed out that it doesn't require permission, only interaction. So likely there's a button that's clicked that writes to the clipboard, and most browsers are susceptible to this.

[–] [email protected] 160 points 1 month ago (2 children)

not when there was a user intent like clicking a button.

For example in this screenshot, it's likely that there's only the "verify I'm human" button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard

[–] [email protected] 83 points 1 month ago* (last edited 1 month ago) (1 children)

Exactly, copy requires a click but there's no rule that the copy button has to look like anything particular

[–] [email protected] 15 points 1 month ago* (last edited 1 month ago)

It doesn't necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).

It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That's usually a button press or keypress.

[–] [email protected] 17 points 1 month ago* (last edited 1 month ago) (7 children)

Why isn't the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone

Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?

[–] [email protected] 22 points 1 month ago* (last edited 1 month ago) (1 children)

There is no inherent security problem with changing the content of the clipboard. That doesn't do anything until the user pastes it somewhere; of course if that "somewhere" is a command prompt, then that is a security problem, but users really ought to check what they're pasting there before they execute it (yeah, I know, "ought to").

It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don't think copying from apps like Google Docs would work anymore, and "here's your access token, click here to copy it to the clipboard" features certainly wouldn't.

The screenshot in the OP would then probably be changed to include a step "click: allow clipboard access"; I think most people who fall for the screenshot in the OP would also fall for that.

load more comments (1 replies)
load more comments (6 replies)
load more comments (1 replies)
[–] [email protected] 133 points 1 month ago (17 children)

That's a sneaky one.

load more comments (17 replies)
[–] [email protected] 124 points 1 month ago

This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn't immediately trigger that association and response.

[–] [email protected] 102 points 1 month ago (8 children)

This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It's a shortcut for closing the game. Worked way to many times

I do see this working

[–] [email protected] 47 points 1 month ago (1 children)

ALT+F4 for free funds, opened alot of slots on bfh servers whenever my friends couldn't join.

load more comments (1 replies)
[–] [email protected] 42 points 1 month ago

btw if you want to try and hack me, my IP is 127.0.0.1

[–] [email protected] 25 points 1 month ago* (last edited 1 month ago) (1 children)

Yeah, and you can dupe items in RuneScape by dropping them and pressing Alt+F4. Don’t worry, I’ll stand way over here to prove I’m not trying to steal it. If I try to pick up the item you’ll see me move, and you can just pick it up first.

[–] [email protected] 32 points 1 month ago

The day of a new patch in WoW I said in general chat "wow, they finally put a confirmation when you type /gquit , crazy how long it took" and sit in town and watch peoples guild names disappear

load more comments (5 replies)
[–] [email protected] 98 points 1 month ago (1 children)

Followed instructions but verification failed, seems like nothing happened except dick got stuck in toaster again. Using Arch, btw.

load more comments (1 replies)
[–] [email protected] 93 points 1 month ago (3 children)

So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.

[–] [email protected] 54 points 1 month ago (3 children)

Fwiw there are a large number of people who volunteer their time and effort toward worthwhile projects. It's just they don't get rewarded anywhere near the level of benefit that they provide.

load more comments (3 replies)
[–] [email protected] 51 points 1 month ago (3 children)

"To prove that you are human, donate $$$ to Doctors Without Borders."

"To prove that you are human, register to vote."

"To prove that you are human, adopt a pet from the local animal shelter."

[–] [email protected] 19 points 1 month ago (2 children)

“To prove that you are human, adopt a pet from the local animal shelter.”

I've got 22 cats already, but I need to check my email!

[–] [email protected] 17 points 1 month ago

PLEASE ADOPT VERIFICATION CAT TO CONTINUE

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 79 points 1 month ago (16 children)

I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:

  1. received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
  2. got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
  3. caller asked me to verify myself through text code, and I didn't read the text message carefully and provided it (later inspection showed that it was a password reset code)
  4. after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
  5. they asked me to confirm myself again through another code to finalize, at which point I told them they don't need a second code since I already proved my identity, and they hung up

I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.

I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).

I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.

Anyway, stay on your guard, it can happen to you.

[–] [email protected] 35 points 1 month ago (1 children)

Pro-tip: Whenever you receive a call/text/email from "your bank" saying something is wrong, don't interact!

Open their app/website or call them yourself to verify.

load more comments (1 replies)
[–] [email protected] 24 points 1 month ago (10 children)

The fact that many banks still don't have at least app-based 2FA should be criminal.

load more comments (10 replies)
[–] [email protected] 24 points 1 month ago* (last edited 1 month ago) (3 children)

I set up voice recognition

This feature is extremely insecure now that there's several AIs that can replicate voices. If a scammer calls you and you say a few words (like if you say "hello" and "sorry, I think you've got the wrong number"), a recording of that can be enough for them to replicate your voice.

This happened at my workplace. An attacker got into someone's Schwab account by calling Schwab support and successfully getting past the voice verification, and attempted to transfer $100k (from a recent stock sale) out of their account. It took a bit of effort but they managed to get all the money back.

Schwab sent out a bulk email to everyone at my company saying they're improving their security as a result, but I'm not sure if they've actually improved it. They're still promoting this insecure feature.

load more comments (3 replies)
[–] [email protected] 23 points 1 month ago (5 children)

Your story reminds me of something that my bank started doing. I got a robocall about something to do with my credit card, and the voice said to verify using x and y using my keypad, I think it was day/month/year of birth or something and I immediately noped out of the call. I hit all the wrong buttons until it got me to a person and I ripped them apart, and their supervisor for basically training their userbase to answer security questions given by an automatic voice on the other end of the line with no way to verify who is calling.

You can spoof your caller ID, you can get a text to speech robocall bot with DTMF recognition and just spam call a whole area where the bank operates and gather a bunch of personal information because it sounds just like the bank and there's no way to prove who called.

What a crock of shit. It's a security nightmare.

I did call my bank after at a known valid number, verified them as they verified me, and there was something going on, so the call was legit, and totally unacceptable.

These clowns want us to trust them completely, and give us no reason to do so, but they want us to bend over backwards to validate ourselves. Fuck that.

load more comments (5 replies)
load more comments (12 replies)
[–] [email protected] 65 points 1 month ago

As someone tech literate that looks hilarious to follow through with.

But if not, that really does seem similar to a normal captcha with fairly simple steps.

[–] [email protected] 45 points 1 month ago

Kinda brilliant to disguise malware as a captcha, though. I won’t be surprised.

[–] [email protected] 41 points 1 month ago (1 children)

That is extremely hilarious

[–] [email protected] 67 points 1 month ago

Except for the fact that a lot of less tech savvy people will fall for it.

[–] [email protected] 34 points 1 month ago

Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.

[–] [email protected] 31 points 1 month ago (3 children)

Usually I warn my 81 year old dad about these scams. Don't think I need to worry about this one, he wouldn't be tech savvy enough to find the windows button

load more comments (3 replies)
[–] [email protected] 31 points 1 month ago (1 children)

That’s going to catch some people, especially older ones.

[–] [email protected] 22 points 1 month ago (1 children)

Yet if I was helping my elders over the phone, I'd get all sorts of "What Windows key?", "I can't find that Control key", or "I did that key, the plus key, and then my hand slipped and I minimized everything."

load more comments (1 replies)
[–] [email protected] 28 points 1 month ago

diabolical

[–] [email protected] 23 points 1 month ago (8 children)

Wouldn't it require elevation?

Yet another example of why running as root/admin is a Bad Idea©

[–] [email protected] 71 points 1 month ago (2 children)

No, why would it? It will run code in the context of the current user which is absolutely enough to start a new process that will run in the background, download more code from a attacker server and allow remote access. The attacker will only have as much permissions as the user executing the code but that is enough to steal their files, run a keyloggers, steal their sessions for other websites etc.

They can try to escalate to the admin user, but when targeting private victims, all the data that is worth stealing is available to the user and does not require admin privs.

[–] [email protected] 54 points 1 month ago (1 children)

[–] [email protected] 17 points 1 month ago

This here. The most important thing on your computer are all your session cookies, which are, well, accessible with permissions your user account already has.

Dudes don't care about making your shit into a botnet, or putting a rootkit in your firmware, or whatever other technically complex thing you care to think about: they're there to steal your shit, and the most valuable shit you have is sitting there out in the open for the taking for anyone who makes it past a very very low bar of 'make the user do something stupid'.

load more comments (1 replies)
load more comments (7 replies)
[–] [email protected] 17 points 1 month ago (2 children)

its not working, my krunner bind is windows+d

load more comments (2 replies)
[–] [email protected] 17 points 1 month ago* (last edited 1 month ago)

ah, think this is like one of those survey scams.

[–] [email protected] 17 points 1 month ago

That’s so sassy I kinda respect it.

Too bad for those who fall for it.

[–] [email protected] 16 points 1 month ago (2 children)

I wish more people knew what Run... did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don't immediately know that means you're copying text to something.

Especially on a shady site, mind you. But then again, this could be on a phishing email, so that's not always the case I guess. (I got one from "STARBUCKS" that Gmail didn't catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).

load more comments (2 replies)
load more comments
view more: next ›