For an unknown amount of time, the Chrome browser has contained a vulnerability which allows malicious websites to hijack the back button. This was recently demonstrated with striking effect by SEO expert Dan Petrovic of Dejan, an Austrialian internet marketing company. According to his public disclosure on the Dejan website, Petrovic used an elaborate proof-of-concept attack, which involved exploit code launched from his test website. He combined this exploit with a fake search engine results page and impersonation of the websites found within those results. This allowed Petrovic to spy on users’ traffic to impersonated versions of his competitors’ websites. He was able to record mouse movement, clicks and typing, among other things. The way this attack unfolded, was that first a Chrome user would conduct a search that related to Petrovic’s website, using Google. At some point, that user would then potentially click on Petrovic’s website, which was using a JavaScript exploit to hijack the Chrome back button. If the user clicked the back button while on Petrovic’s website, they would be redirected to a fake version of the search results page they had previously navigated to his site from. Very tricky, indeed. Within this fake search results page, were links to fake versions of Petrovic’s competitor’s websites, using similar domain names. Since Petrovic controlled these fake versions of his competitor’s websites, he was able to spy on all traffic to these sites. This included any data entered into forms on those websites. If Petrovic had the motivation, he could have potentially recorded any passwords or credit cards numbers entered into these sites. No matter that these impersonation sites used SSL encryption, because he controlled the sites, and therefore could capture decrypted data.

Interesting: guy hijacked browser back button to record user interactions on his competitors' sites. Most people didn't notice, since his SSL certs were still valid. As long as there's a green padlock, they didn't check the actual URL they were visiting https://t.co/PnZuuhttag — Mike Payne (@the_mikepayne) August 27, 2018

Some have criticized Petrovic for setting up this proof-of-concept attack website at all. He certainly didn’t follow the industry standard protocol for responsible disclosure of vulnerabilities to a vendor. Typically, a security researcher would first confidentially disclose a vulnerability in the Chrome browser directly to Google, instead of to the world, as Petrovic did on the Dejan website. Petrovic has defended his actions via the Dejan website, claiming that we should be “more concerned about those who do unethical things and don’t write about it.”

Whether or not you agree with his methods, Petrovic has certainly called attention to an interesting attack that users should be aware of. It’s hard to say if Google will put a fix into place for this. Even if Google doesn’t fix this issue, you can still defend yourself from this attack, however. The first line of defense, of course, is to not click on sites that are questionable. Using a URL or DNS filtering service like OpenDNS, can certainly help, though this shouldn’t be relied on wholly. Hopefully by using careful browsing habits, you won’t land on a page which contains this malicious exploit code. If you do, you can still defend yourself, if you are alert. In Petrovic’s attack, when you hit the back button, you would be sent to a fake version of Google’s search engine results page. This should be simple to observe, by checking the address bar of your browser, to see if it is using google.com. If your address bar has something other than than the legitimate name, like google[.]evil[.]com (brackets inserted for sanitization), then you need to close that browser tab immediately. You have been redirected to a fake version of the Google search engine results page and you will want to get out of there immediately.

Unfortunately, Petrovic is not the first person to mess with the browser back button. A number of shady websites with so-called tips and tricks for SEO (search engine optimization) have published code advertising the ability to forward a visitor to an arbitrary website when the back button is used. These shifty sites advise webmasters to use these techniques as a last ditch effort to get the user to buy something. That’s a sad state of affairs. This also suggests that browsers besides Chrome may also be vulnerable to similar attacks.

It’s worth mentioning that if you are already on a website that is serving up malicious code, you may already be the victim of a different type of attack having nothing to do with the back button. It’s within possibility that your first sign of this is that your back button forwarded you somewhere strange. But by that time, you could have already been the victim of some other type of attack. If you observe any other unusual behavior on your device after experiencing a hijacked back button, assume the worst. You may already have been the victim of an attack.

Petrovic has stated he believes that “manipulating the back button in Chrome shouldn’t be possible in 2018”. He also believes that websites using this exploit should be detected and penalized by Google. If such websites are to remain in Google’s search results, he believes they should be labeled with a warning that they may be harmful.