As a security researcher who tends to focus a bit on user interaction and phishing vectors you are 100% correct, but also representing part of the problem. Too often we discount vulnerabilities which users have to click-through to execute. Unfortunately users do ignore system security warnings. Unfortunately when given a dialog where they can choose security over doing their job, they'll do their job.
I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.
I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.