Comment by StableAlkyne
1 day ago
> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
I've seen it many times on google where the phishing sites were advertised results stickied above the results they impersonate.
Another good reason to use ublock origin!
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!
I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.
Oh I've never seen anything like that. But it would still help because my password manager pops up matching logins so you could just open that manually and then copy paste parts of it or type it in.
1 reply →
Had a similar UK bank experience. Without knowing it would be used for that, I had created a password that had digits. So "What's the 4th character" would be something like "6," "What's the 6th digit" would be "2," like an Abbott and Costello routine.
How can they even do that without storing plaintext passwords?
1 reply →
Unfortunately it's not uncommon to find legitimate websites that break autofill in some ways. And the more such websites a user encounters, the more likely he will just mindlessly paste his password into a phishing site as he has learned to do for real ones.
Passkeys solve this problem but has its own usability issues.
My password manager will warn me if I manually copy a password out of it and then try to paste it in a domain that does not match
I use keepass (FOSS under GPL, fully offline).
It does not detect domains.
The autotyper can with a little bit of finangling. Every browser has a 'url in title bar' extension avaialble and then you can use that for your autotype matching. If you do not like to use extensions, changing a page's title is a trivial bookmarklet or userscript to make I would think.
Maybe use a better one or the browser extension like other commenters are saying?
KeepassXC browser integration will do that.
you can have it be offline and still a browser extension (when i used keepassxc it could to that)
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."
Meanwhile U2F/Passkeys can't possibly be abused like this.
Yeah but the downsides of passkeys make them so much worse anyway.
11 replies →
Well mine pops up a big warning if you try pasting when the domain doesn't match it so at least it would force you to take a second look. Also all the real world services that I use half past keys as 2fa which I also store in the password manager
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.
Is one giant mega-corp better than any other?
You're going to have a hard time convincing me the answer is yes.
> I never see Google return phishing pages
Maybe you're not looking or maybe you're lucky.
Either way, many of us see it happen all the time there too. For GitHub especially, I almost never get the canonical repo for a project in my Google results. Phishing or innocuous, it's almost always some fork at the top and then a bunch of non-github.com sites.
Search is more or less "cooked" now, as they say. Google vs Bing vs DDG vs Kagi is mostly in the noise.
Why would you go to your bank by first searching for it? Sounds very insecure to me. I type my banks url directly instead, or if that gets tedious, store it as a bookmark.
I know several people who search for important sites, click uncritically on links, and get scammed. This is not so good.
speaking only to search quality: try Kagi.
>I never see Google return phishing pages or typo squatters in the first page
Our company constantly has phishing copies of our real pages as first results in Google. We have no ability to get them taken down. It costs us serious money every year, and hurts our customers who get swindled because Google lets some brand new domain registered yesterday come before the company that has existed for 20 years.
If you haven't seen it on google, you aren't looking hard enough.
Any Google employees here that could share some insights on how this kind of thing works from SE p.o.v.? Or why it works that way?
[dead]