They would have rigged the router for the local wifi to present a man-in-the-middle attack on the wikipedia page for poker.
I would expect this to fail, in that modern browsers attempt to demand HTTPS versions of known sites when they exist, and faking Wikipedia’s cert would take work. MitM-ing websites isn’t as easy as it used to be.
And you’re making a lot of assumptions here about the setup, like having a known device (maybe it’s a video) which has already contacted Wikipedia before and in-cache has pinned the WP HTTPS cert, and also the user having gone to the right URL/domain in the first place (hey you know what’s hard to see on current mobile browsers because all of the tech giants despise URLs and want to eliminate them and keep you in their walled garden?). I just checked on my phone right now, and if you browse to En, the default Android Chrome browser both does not show you the https and as soon as you scroll down even slightly, the entire URL disappears. The only way I found to easily see the protocol was to edit the URL! It remains quite easy to phish or spoof or cross the ‘line of death’, and people fall for these things all the time. Or, what if it’s been vandalized (can take a long time to fix, and could’ve been vandalized by a confederate mere seconds before the audience member checks)? What if it was vandalized and you’re looking at a valid WP mirror which is out of date? What if you’re looking at a specific data-poisoned revision?
(Note by the way that almost none of these exploits would count for bug bounties from anyone.)
It will not work. Or rather, if you have a way to make it work, you should collect the bug bounty for a few tens of thousands of dollars, rather than use it for a prank. Browser makers and other tech companies have gone to great lengths to prevent this sort of thing, because it is very important for security that people who go to sites that could have login pages never get redirected to lookalike pages that harvest their passwords.
Aww, that doesn’t work anymore? Probably good for the world if sad for pranksters. I admit I last pulled some variant of this prank in the late aughts/early 2010s and haven’t tried recently. I got an afternoon of enjoyment out of upsidedownternet.
My next best idea I’m sure I could pull off would be to make my own website that looked like the wikipedia article, pull that up on my phone, and show it to the mark.
I would expect this to fail, in that modern browsers attempt to demand HTTPS versions of known sites when they exist, and faking Wikipedia’s cert would take work. MitM-ing websites isn’t as easy as it used to be.
‘Not as easy as it used to be’ != ‘infeasible for a stage magician’. (Keep in mind they are well-documented to do things like research audience members in advance just to pull off better cold reads. They only need one thing to succeed. How many ways are there to hack a pinball machine?)
And you’re making a lot of assumptions here about the setup, like having a known device (maybe it’s a video) which has already contacted Wikipedia before and in-cache has pinned the WP HTTPS cert, and also the user having gone to the right URL/domain in the first place (hey you know what’s hard to see on current mobile browsers because all of the tech giants despise URLs and want to eliminate them and keep you in their walled garden?). I just checked on my phone right now, and if you browse to En, the default Android Chrome browser both does not show you the
httpsand as soon as you scroll down even slightly, the entire URL disappears. The only way I found to easily see the protocol was to edit the URL! It remains quite easy to phish or spoof or cross the ‘line of death’, and people fall for these things all the time. Or, what if it’s been vandalized (can take a long time to fix, and could’ve been vandalized by a confederate mere seconds before the audience member checks)? What if it was vandalized and you’re looking at a valid WP mirror which is out of date? What if you’re looking at a specific data-poisoned revision?(Note by the way that almost none of these exploits would count for bug bounties from anyone.)
Spoofing a DNS redirect record with the router which sends you to a homograh domain with a legitimate certificate should work.
It will not work. Or rather, if you have a way to make it work, you should collect the bug bounty for a few tens of thousands of dollars, rather than use it for a prank. Browser makers and other tech companies have gone to great lengths to prevent this sort of thing, because it is very important for security that people who go to sites that could have login pages never get redirected to lookalike pages that harvest their passwords.
Ah, that’s what I get for trusting Claude to check my first pass idea, and not poking it more extensively.
Aww, that doesn’t work anymore? Probably good for the world if sad for pranksters. I admit I last pulled some variant of this prank in the late aughts/early 2010s and haven’t tried recently. I got an afternoon of enjoyment out of upsidedownternet.
My next best idea I’m sure I could pull off would be to make my own website that looked like the wikipedia article, pull that up on my phone, and show it to the mark.