Yeah, NFC isn't really secure. A couple of years back in one of my security classes I looked into the NFC's being used by a library. In that article, the author's 'friend' bought a writer/reader for NFC for like, <$50... this means that he could change the value of the books that they checked out..
{ so lending The Great Gatsby would be registered as lending A Moveable Feast }
... He was also able to disable write mode... so the tag would become useless after he meddled with it. Obviously, the implications are a lot worse for people using things like Google Wallet or pay pass (whatever that service is called).
Interesting none the less.
Now as far as this is concerned, I like. It's always nice from an attack perspective to find a very niche audience. Really, it's almost exclusively Android devices that this could happen.... right now. Apple's iPhone has no NFC (that I'm aware of) and I've never seen a Meego IRL....
It reminds me a lot of the QR code attack from a few months ago (google curiosity pwned the cat if interested)....
It's nice because this is how NFC works. This is what it is supposed to do. Like in the G3 demo video that Sprint stores play - it shows someone NFC'ing a facebook 'like'. This one is just a website. Perfect. The attack vector is very concise. You likely won't be having IE hit any NFC transferred sites.
It's really a cool attack. I can't wait to hear all the cool stuff the Defcon folks came up with!
infosec is fun.