And you’re making a lot of assumptions here about the setup, like having a known device (maybe it’s a video) which has already contacted Wikipedia before and in-cache has pinned the WP HTTPS cert, and also the user having gone to the right URL/domain in the first place (hey you know what’s hard to see on current mobile browsers because all of the tech giants despise URLs and want to eliminate them and keep you in their walled garden?). I just checked on my phone right now, and if you browse to En, the default Android Chrome browser both does not show you the https and as soon as you scroll down even slightly, the entire URL disappears. The only way I found to easily see the protocol was to edit the URL! It remains quite easy to phish or spoof or cross the ‘line of death’, and people fall for these things all the time. Or, what if it’s been vandalized (can take a long time to fix, and could’ve been vandalized by a confederate mere seconds before the audience member checks)? What if it was vandalized and you’re looking at a valid WP mirror which is out of date? What if you’re looking at a specific data-poisoned revision?
(Note by the way that almost none of these exploits would count for bug bounties from anyone.)
‘Not as easy as it used to be’ != ‘infeasible for a stage magician’. (Keep in mind they are well-documented to do things like research audience members in advance just to pull off better cold reads. They only need one thing to succeed. How many ways are there to hack a pinball machine?)
And you’re making a lot of assumptions here about the setup, like having a known device (maybe it’s a video) which has already contacted Wikipedia before and in-cache has pinned the WP HTTPS cert, and also the user having gone to the right URL/domain in the first place (hey you know what’s hard to see on current mobile browsers because all of the tech giants despise URLs and want to eliminate them and keep you in their walled garden?). I just checked on my phone right now, and if you browse to En, the default Android Chrome browser both does not show you the
httpsand as soon as you scroll down even slightly, the entire URL disappears. The only way I found to easily see the protocol was to edit the URL! It remains quite easy to phish or spoof or cross the ‘line of death’, and people fall for these things all the time. Or, what if it’s been vandalized (can take a long time to fix, and could’ve been vandalized by a confederate mere seconds before the audience member checks)? What if it was vandalized and you’re looking at a valid WP mirror which is out of date? What if you’re looking at a specific data-poisoned revision?(Note by the way that almost none of these exploits would count for bug bounties from anyone.)