Primary CTA: what’s best for you
Secondary CTA: an alternative for you
Primary CTA: what’s best for us
Secondary CTA: what’s acceptable to us
It's been a long time since Windows 95's "Where do you want to go today?" slogan. Now, every developer's slogan is "Here's where we allow you to go today--and we'll make it hard to go anywhere else."
The pattern attackers would use is to figure out how to use the redirector at hxxps://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbGhxcFJubU9YV0RqWkY3bVlnQUdtZFBTSG5Dd3xBQ3Jtc0treWdqWS1ZX2tFdWlUa3NmY09tc2RUOFN6VUh5WDB2eTFGbE5hUTlFY25VZHROLVgyMVRJR2Mzd0QySUxidGNHYkNOd1FqQXNsTk1zcFBLWF83UHMxTDRIaGdsSGJfRjFveHlwNS1FbUt6bXg3TmhFRQ&q=http%3A%2F%2Fwww.penguinrandomhouse.com
to point at www.looks-like-youtube-but-is-phishing.ru instead of ww.penguinrandomhouse.com. Then, when the attacker manages to take over someone's Facebook Messenger account, they send "check out this cool youtube video" to all of that user's friends. Because the URL has the domain youtube.com, it's trusted, so the'll click on the link. If the redirector simply redirected, a non-zero amount of victims would then have a tab opened to www.looks-like-youtube-but-is-phishing.ru that says they've been logged out of youtube, enter your username and password to login and watch this really really funny cat video that your mom/boyfriend/sister/crush/whatever just sent you.
Maybe I'm reading too much into it. More and more patterns seem hostile, antagonistic to the user, and it seems like it's an adopted practice that's taken as a standard. I hope I'm wrong.
This is a common pattern to see today. Lots of examples that maintain the same CTA design (don't leave us. Don't waste your money on scammers, waste them on us please)
But you are still training your users to do the Windows Okay Okay Okay dance.
Phishing links are not fixed by adding hijacks, in fact I would probably then spend less time reviewing the link and more time trying to decide which double negative button I wish to click.
Such an endpoint is vulnerable to "open redirect" exploits, where a redirect exploit on a trusted domain (google.com/youtube.com) is used to conceal a malicious link. The confirmation page is used to make the endpoint useless for such purposes.
But the confirmation page would be super annoying for normal users who intended to click the link, so there's a further mechanism where the redirector link has some ID that's also present in your cookies, so that as long as it is you who hits the redirector endpoint the confirmation page is bypassed - but if you try to use it in an "open redirect" attack your victim wouldn't have the matching cookie and thus would get the warning.
In their case they must be opening the link in a new context that doesn't share state (cookies/etc) with the old one (either deliberately or as a result of a privacy plug-in/feature) and so get the interstitial.
Do you want to rate our app?
Later [YES]
It is extremely disrespectful as it basically ignores consent. It's the "rapist mentality" Louis Rossmann talks about. No means no,not "later", people.
not_your_vase•2w ago