in Technical 398 Words

Visual Illusions

This post is a follow up to the Visual Spoofing post in which I demonstrated a serious visual vulnerability of browsers and alluded to a deeper problem.

Most of the readers who saw the demo thought of it as a hole in the browser code.  Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock.  But there also a hole in our brain, one that people like Diego Doval zeroed in on right away.

You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels.  There are no such thing as windows or buttons.  Instead, there are pixel patterns we call windows or buttons.  It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.

From this perspective, a browser window is a rectangular array of pixels under full control of someone else, full control meaning any pattern of pixels can be displayed including those 'sacred' patterns we sees as 'windows' or 'buttons'.  The illusion of depth, used commonly to enforce the concept of overlapping windows, can also be duplicated.

Even if one can't hide the real toolbar and statusbar, clever visual illusions will trick sufficient number of people to make the approach lucrative for crooks.  If you think you can't be fooled, you should visit a magician near you.

The bottom line is that the when you open a browser window, you are also opening a window of vulnerability, a window through which bad guys can trick you into exposing critical secrets such as passwords.  Now expand that scary thought to include software you willingly installed onto your system and you will find yourself hesitating the next time you reach for the power button.

As I mentioned before, I will be discussion a solution to this problem in a post titled 'Secure UI'.  The solution won't close the window, but I believe it shrinks the window size down to, hopefully, an acceptable level.

See Also: Visual Spoofing, Secure UI: Phishmarking