Or why browser history IS VERY BAD.
I’ve put together this quickie demo. Go there. If you haven’t been to PayPal recently you’ll be asked to go there. Click on the link, then come back. You’ll now see a red bar across the screen which tells you your last PayPal transaction is revoked and you should click on the provided link to fix it.
This is a 100% CSS-based social engineering attack. It works in IE7, Firefox and Opera (and I assume Safari as well as any other modern browser). And because you only see this message if PayPal is in your browser history the chance that you’ll take this message seriously is certainly increased.
Now this is just a quick hack. With a bit of CSS hacking you could get it working in older browsers. You could also easily style the message that appears to look like a legitimate alert box dressed in the proper OS widgets or maybe as a toolbar message that’s part of the browser (like the alerts that pop up if you’re using NoScript).
Now keep in mind this, in and of itself, is not a complete example of a typical social engineering attack that you might encounter on the web. It’s simply a demonstration of an extra layer that’s available to a malicious web site operator (or someone who’s cracked a vulnerable web site).
This is also a very crude example. A more clever person could have several dozen links being checked for with each producing one or two sentences that, when put together, create a kind of story to give the user to help gain their trust; that the link they’re being asked to click is legit.
On the flip side a kind web site operator might provide a list of links in their navigation element to sites the user has already visited and hide those links they haven’t visited (or vice versa) to better cater to their needs.
There’s lots of GOOD things you could do with this, but it opens a door to these social engineers that we can easily close with little (if any) impact on us by simply disabling browser history.