[cjc1083]

The danger of this, is not (IMO) people inserting personal data or financial data on the end page (which would be avoided by paying attention to the URL bar), but in targeted attacks where the page serves up a IE/Flash/Java exploit compromising the users machine. At this point it doesn't matter what the end result is, as the damage is done. Also, an attacker can simply redirect to to the orig page/target after exploitation in such a way that the majority of casual users wouldn't notice, as there is no user interaction at the end.

Example a link to an article or PDF report of interest is Hijacked via this method (where the hover is correct but actual target is malicious) the user quickly hits the exploit site and is compromised/malware dropped while the exploit site displays a splash page of some sort briefly, it then forwards to the orig. destination.

I don't see the majority of non paranoid users detecting this, even if they are in the right mindset, as they end up at the proper site with nothing more than quick, and now ubiquitous, splash/ad page in between.

EDIT: I'm not necessarily advocating any change, this behavior can be tracked and blocked in a properly secured infrastructure, but this is where I see the potential for harm.

[cheald]

The point remains that this kind of thing is entirely possible via "legitimate" methods, too.

If the bad guys can inject Javascript into your page, it's game over, period. The attack vector is meaningless; there are tons of them. If I can inject my Javascript into your page to hijack your clicks, why would I bother with that rather than just putting an invisible iframe into the page that delivers the payload without any user interaction required? It's going to get me far better results, doesn't rely on undocumented behavior, and isn't contingent on a user failing to notice a splash screen.

[bilawal]

Maybe there's a side to it that I'm not aware, but as far as I know, it's become very difficult to run exploitable JS in an iframe.

[cheald]

cjc1083's proposed attack vector is an interstitial page which drops a Java/Flash 0-day on you and forwards you to your original target site, leaving you compromised and none the wiser. My point is that if you can even do the redirect in the first place, it's much simpler to just iframe in the attack page and do the drop directly rather than waiting on user input to do it in a manner that they might notice.

[cjc1083]

You are 100% right, I guess I was just taking the concept to a place where I could mentally weaponize it. Thanks!

[jakubp]

Are you suggesting that if you point my browser to a malicious URL [Chrome on Win 7] I will get malware "just like that", without clicking anything? How's that possible, exactly? (I have no Java installed.) I understand there could be a _security_ flaw in the browser itself, but are you telling me there are security flaws that mean "malicious URL opened = arbitrary malware will now run on user's OS"???

[cheald]

Possibly, yes - Flash and Java are both commonly-exploited attack vectors for this. Not having Java is a good start, but Chrome ships with Flash embedded in it (and to Google's credit, they keep it aggressively patched by pushing updates), but if someone were running an exploit against an unpatched zero-day, then you could go to a harmless site which is running federated ads, which the attacker has purchased ad views for, and which they use to serve their Flash-based payload which runs the exploit and provides some measure of your access to your computer (often to add an additional payload that can be used to back-door you). The damage is done.

To protect yourself against this, you should go into Chrome's about:settings/content and set Plugins to "click-to-play", so that you have to manually allow a plugin to execute, preventing this kind of drive-by attack.