Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

2FA compromised in new attack

Comments

  • #2
    edanto
    Registered Users, Registered Users 2 Posts: 2,803 ✭✭✭edanto


    Attacks just keep getting cleverer. That's fairly nifty.


  • #3
    Blowfish
    Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Unless I'm missing something, doesn't HSTS defeat this?

    [edit] Actually, I suppose it partially does, but the attack can still work if you can get the user to click on a different URL. Victim connects to g00gle.com, proxy then connects to google.com. I should really read the article fully before responding.


  • #4
    ezra_
    Registered Users, Registered Users 2 Posts: 1,369 ✭✭✭ezra_


    I messed about with a little chome extension that basically matched Headers and URLS against the current URL.
    So if you were visiting a site that said 'GMail Login' and had an url of accounts.google.com, and you then hit 'GMail Login' and had a different URL, you'd get an popup warning.

    I stopped when I realised just how many websites have 'Home' as the title.


Advertisement