undefined | Better HN

0 pointsjrochkind112y ago0 comments

Theoretically, if you are using OAuth facebook login, then on the page you are prompted for a Facebook login, you should be seeing facebook.com in your browser location bar, with the trusted https "green bar".

But I realize this kind of anti-phishing checking is beyond most users, and "Just don't enter your facebook password anywhere but when you are logging into facebook" probably IS a good heuristic for them.

I also don't know if some facebook oauth login paths use some kind of fancy ajax window-in-a-window so you _don't_ actually see facebook.com in your address bar -- which would make it pretty impossible for users to know if they're being phished or not.

0 comments

2 comments · 1 top-level

scrollaway12y ago· 1 in thread

> I also don't know if some facebook oauth login paths use some kind of fancy ajax window-in-a-window so you _don't_ actually see facebook.com in your address bar

This can never happen, because of the situation you highlighted. Most browsers do not let you do that anymore.

danielweber12y ago

The site could be faking the chrome so it looks like a separate pop-up, when it's actually just a div. Most of us would smell something wrong because it wouldn't be quite right but you could get reasonably close for non-developers.

I went looking for sites using facebook logins and found this one just as the first unlucky example: http://www.nydailynews.com/login Once you know the browser and OS, it wouldn't be too hard to get something mostly like that pop-up into a div.

j / k navigate · click thread line to collapse