Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> They noted that mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to vet the legitimacy of the pages.

JFC... I never understood why that "improvement" was necessary in the first place. Now its causing real harm out in the world. Kind of infuriating.



It’s the same with email and email phishing. They should show the full email address.

I think it’s MS Outlook that only shows the name in email chain when forwarding. So once the first person tricked forwards the email, info is lost and prevents future readers noticing the phishing email address


>I think it’s MS Outlook that only shows the name in email chain when forwarding.

I complained to support about Outlook iOS doing this, not just for forwarding... but all received emails display only the name. I receive AppleID phishing attacks constantly to my old hotmail account, Microsoft helpfully sends all them to my inbox and Outlook shows them as from 'Apple' unless I click the sender name and then it shows something like totallynotlegit@paypalappleidscams.tk. Their link scanner is effective around 50% of the time. It's not good enough.

Microsoft does not consider this a bug or a threat in any way. I have been active about this on social media and have had my screenshots and complaints picked up by largish accounts like @swiftonsecurity.

At this point Microsoft is complicit with the phishers. Oh well, not the first time an entire industry thrived off their lack of security.


They do this on desktop Outlook as well. It's really great when you work at a company where two people have the same name, and you have to click seven buttons to see who sent the mail. Or you get added to a forward chain and you really can't tell.


I really don't understand this either. I feel like once upon a time email clients used to go so far as to show you the full header by default; but UI trends made it important to hide anything too technical from the end user. It seems like a total dismissal of function for the sake of form. Especially since the uninterested just scroll a little to get past the techno-babble. I think having the header right there was good, it reminded people that email wasn't magic, there was understandable technology at work, and you could easily see what was going on if you cared to look.


I think having the header visible would also slowly teach people patterns of what looks legit and what doesn't.


>JFC... I never understood why that "improvement" was necessary in the first place.

What improvement are you talking about? Mobile phones truncate the URL bar because phone screens are physically narrow.


Desensitization to the URL bar is just one of many, many problems with AMP. Google is training users to ignore it, because sometimes it says google.com when they’re somewhere else.


Chrome iOS shows just the domain and subdomain-- which may help fight fishing attacks by focusing users on just that (but annoying to just about everyone else). Safari and Firefox show the whole URL, truncated on the right by the lack of space.


> Safari and Firefox show the whole URL, truncated on the right by the lack of space.

Safari doesn't.


It's a preference under "Advanced" for "Smart Search Field:" to "Show full website address". Not as hidden as some Safari settings, but it is at the end of the Preferences window.


This thread is about mobile. Mobile Safari doesn't.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: