Hacker News new | ask | show | jobs
by talos 4363 days ago
Yeah, but those sites don't have people enter in their login/password until after they've been forwarded to an `amazon.com` or `paypal.com` domain. Try it. This is encouraging users to engage in fundamentally unsafe behavior (enter credentials for site A on site B because site B looks like site A).
1 comments
aioprisan 4363 days ago
Google Wallet does the same thing as Stripe checkout with the overlay: https://www.humblebundle.com/ Is the URL inspection the best way to make sure you're going to the right site? I know that for us deeply technical folks that's the case, but for someone less technical, they wouldn't know the difference between one URL redirect vs. another.
link
talos 4363 days ago
Not quite. If you're not logged in, Google Wallet will open a popup (as opposed to a JS modal overlay), clearly identified as "https://accounts.google.com", prompting you to enter your username and password. The username and password are never entered under the same URL bar as the 3rd party site.

If Braintree's checkout process opened a popup window, with a clear URL bar, into which the user entered their username/password, then this would not be a problem.

link
pbcoronel 4363 days ago
This is Pedro, one of the developers at Braintree who worked on this product. Security is our top priority which is why we will show a pop-up window hosted on a PayPal domain in the environments that support it. We are incrementally rolling this feature out. Here's more info about this particular issue: https://developers.braintreepayments.com/javascript+ruby/sdk...
link
talos 4363 days ago
Interesting. I understand that popups might not be supported in certain environments, but it would seem the preferable flow in that case would be to forward to Paypal, authorize, then forward back. I just don't see any way to protect a lightbox from phishing, even if that's only on a subset of devices.

I guess I'm not up on the limitations of mobile browsers, but if they really make it so hard to expose the URL, it would seem to re-open a huge array of phishing attacks (and, once these are heavily exploited, mobile browsers will probably get better about exposing URLs.)

link
tokenizerrr 4363 days ago
The most interesting part to me is that this is a regression. Paypal integration used to work like you said, and like I said here[1], though now they seem to favor usability over security.

[1]: https://news.ycombinator.com/item?id=8011614

link