Interesting: guy hijacked browser back button to record user interactions on his competitors' sites. Most people didn't notice, since his SSL certs were still valid. As long as there's a green padlock, they didn't check the actual URL they were visiting https://t.co/PnZuuhttag
— Mike Payne (@the_mikepayne) August 27, 2018
Some have criticized Petrovic for setting up this proof-of-concept attack website at all. He certainly didn’t follow the industry standard protocol for responsible disclosure of vulnerabilities to a vendor. Typically, a security researcher would first confidentially disclose a vulnerability in the Chrome browser directly to Google, instead of to the world, as Petrovic did on the Dejan website. Petrovic has defended his actions via the Dejan website, claiming that we should be “more concerned about those who do unethical things and don’t write about it.”
Whether or not you agree with his methods, Petrovic has certainly called attention to an interesting attack that users should be aware of. It’s hard to say if Google will put a fix into place for this. Even if Google doesn’t fix this issue, you can still defend yourself from this attack, however. The first line of defense, of course, is to not click on sites that are questionable. Using a URL or DNS filtering service like OpenDNS, can certainly help, though this shouldn’t be relied on wholly. Hopefully by using careful browsing habits, you won’t land on a page which contains this malicious exploit code. If you do, you can still defend yourself, if you are alert. In Petrovic’s attack, when you hit the back button, you would be sent to a fake version of Google’s search engine results page. This should be simple to observe, by checking the address bar of your browser, to see if it is using google.com. If your address bar has something other than than the legitimate name, like google[.]evil[.]com (brackets inserted for sanitization), then you need to close that browser tab immediately. You have been redirected to a fake version of the Google search engine results page and you will want to get out of there immediately.
Unfortunately, Petrovic is not the first person to mess with the browser back button. A number of shady websites with so-called tips and tricks for SEO (search engine optimization) have published code advertising the ability to forward a visitor to an arbitrary website when the back button is used. These shifty sites advise webmasters to use these techniques as a last ditch effort to get the user to buy something. That’s a sad state of affairs. This also suggests that browsers besides Chrome may also be vulnerable to similar attacks.
It’s worth mentioning that if you are already on a website that is serving up malicious code, you may already be the victim of a different type of attack having nothing to do with the back button. It’s within possibility that your first sign of this is that your back button forwarded you somewhere strange. But by that time, you could have already been the victim of some other type of attack. If you observe any other unusual behavior on your device after experiencing a hijacked back button, assume the worst. You may already have been the victim of an attack.
Petrovic has stated he believes that “manipulating the back button in Chrome shouldn’t be possible in 2018”. He also believes that websites using this exploit should be detected and penalized by Google. If such websites are to remain in Google’s search results, he believes they should be labeled with a warning that they may be harmful.
Google is very good at understanding js now. More and more websites are messing round with the back button these days inspired by the porn industry and malicious sites. In my opinion a website which does this should be marked as harmful or deceptive. CC: @johnm
— DEJAN (@dejanseo) August 21, 2018