Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Browsers allow entering fullscreen as long as it's in response to user input, such as clicking a button. When entering fullscreen, browsers emit a prompt about exiting fullscreen, partly to make sure people know how to exit and partly to make sure entering fullscreen doesn't go unnoticed. So, it'd be hard to pull off such an attack.


> So, it'd be hard to pull off such an attack.

That's what you'd think, but people rarely pay that much attention. The fullscreen prompt only shows up for a few seconds.

For example, recently a family member clicked on a fake YouTube link from an ad in Google's search results. Clicked the search bar and it immediately turned their whole screen into a "call apple support" popup.

They called me up because they thought it was a virus, but really it was just a fullscreen webpage, and being not very technologically inclined, they didn't even try Esc, Cmd+Tab, Cmd+Q, etc.


That's why I've installed adblock on every relative/friend's browser. Also disabled browser's notifications.

Then one day one of them blindly followed instructions to remove it so they can access an online newspaper. The only time they could actually follow instructions, it was actually malicious.


> Then one day one of them blindly followed instructions to remove it so they can access an online newspaper.

Wow. That's a new level of evil. I've seen "disable your adblocker", but not "remove your adblocker".

This makes it even more justifiable that adblockers remove anti-adblock messages, beyond just removing annoyances. :)


>So, it'd be hard to pull off such an attack.

How many people actually read prompts? People literally share 2FA codes with scammers over the phone even though the SMS itself tells them not to share it with anyone, including their own support workers.


This post turned out to be wildly off-topic to the actual topic, but it's relevant for this subthread of the conversation and I've written so many words already that so I might as well post it:

I believe that fullscreen notification got implemented exactly because of people not noticing their browser went into fullscreen mode.

I agree with some other poster, that it's unreasonable to assume that a majority of people would actually read the message. Luckily, though, that's not actually necessary. It's enough for them to notice that there was something fading away. Something unexpected happened.

Now it gets interesting: Regardless of people actively reading "Press [Esc]", as long as it was within their vision, their brain would still process it anyway.

This means that, in the state of confusion caused by the fading text, they'd be wondering "what just happened?" and their brain would execute the command "press [Esc]" regardless of the text being actively read or not.

The state of confusion causes the input to go right through, getting it executed, causing the user to press Escape.

That's a really fucking neat confusion technique!

PS: I'm not good at linking to topics so people gain better understanding, but I'll just read through some until I find good ones.

Milton Erickson's confusion technique. ( https://www.scribd.com/document/179357099/Milton-Erickson-TH... )

Quora's ChatGPT ( https://www.quora.com/What-is-a-simple-pattern-interrupt-con... ) has a few good lines to write about a confusion technique called "pattern interrupt".

This one here ( https://www.sciencedaily.com/releases/2007/09/070912124017.h... ) is interesting. They either pretend, or are unaware of the fact, that they are using a confusion technique to program the client.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: