W3C home > Mailing lists > Public > public-browserext@w3.org > December 2016

Native Messaging is "Phishable"

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 3 Dec 2016 08:26:12 +0100
To: "public-browserext@w3.org" <public-browserext@w3.org>
Message-ID: <d5ef5676-3336-4ba7-338a-137c15c7f848@gmail.com>
Since native applications are not securely tied to invoking Web pages, it appears that this concept is susceptible to phishing.
One may argue that Native Messaging isn't callable by Web pages but that's incorrect [1], and it is probably the #1 use-case as well.

I believe the same problem is valid for the URL schemes used in Android as well.


1] it just takes some ingenuity: https://github.com/cyberphone/web2native-bridge/tree/master/extension/release
Received on Saturday, 3 December 2016 07:27:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:10:00 UTC