Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

2FA compromised in new attack

Comments

  • #2
    edanto
    Registered Users Posts: 2,809 ✭✭✭edanto


    Attacks just keep getting cleverer. That's fairly nifty.


  • #3
    Blowfish
    Registered Users Posts: 5,112 ✭✭✭Blowfish


    Unless I'm missing something, doesn't HSTS defeat this?

    [edit] Actually, I suppose it partially does, but the attack can still work if you can get the user to click on a different URL. Victim connects to g00gle.com, proxy then connects to google.com. I should really read the article fully before responding.


  • #4
    ezra_
    Registered Users Posts: 1,373 ✭✭✭ezra_


    I messed about with a little chome extension that basically matched Headers and URLS against the current URL.
    So if you were visiting a site that said 'GMail Login' and had an url of accounts.google.com, and you then hit 'GMail Login' and had a different URL, you'd get an popup warning.

    I stopped when I realised just how many websites have 'Home' as the title.


Advertisement