If the downloaded payload would auto-execute without warning then this would be ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		alkonaut on Nov 5, 2014 \| parent \| context \| favorite \| on: Reflected File Download: A New Web Attack Vector If the downloaded payload would auto-execute without warning then this would be serious. Otherwise (if it needs intervention) it feels like a far fetched threat. 1) Aren't the people who would execute files that randomly download exactly the people who can never find the files they download? 2) Aren't the people who execute random stuff from the Internet also the people who won't be able to tell whether a URL feels trustworthy or not? So by 1) you could just as well serve funny.jpg.exe to the victim, and by 2) you can reach a wide enough audience by serving it from your bad guy domain rather than trying to masquerade as Google.

bthornbury on Nov 6, 2014 [–]

I think the point of this exploit is that the download does not need to feel random from the user perspective.

A user can be prompted to update flash or chrome itself and then be served a (somewhat) legitimate looking file from the respective website.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact