![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThere's something called 0Auth. It was designed to allow you to sign on to your Google/Apple/Microsoft account - which could be secured with 2FA - and that would pass a security token upstream to whatever account that you're on saying "Hey, this person is A-Okay!" and you'd be in. Or you create another set of web site credentials to maintain specific to that site.
A security researcher has figured out a very clever attack that negates 0Auth called BitB: Browser in the Browser. It uses a series of Cascading Styles Sheets (CSS) that presents a window that looks just like the 0Auth window that does a credential intercept, simulates a login fail, then produces a real login window. A lot of people will fall for that. And you can compromise your entire Google/whatever ecosystem.
The conventional protection methods of looking to see that you're on a HTTPS site and that the site is actually amazon.com instead of amazon.suspiciouswebsite.biz doesn't work. The thing that does is that the imposter 0Auth cannot be moved to on top of the address bar! A true 0Auth address display is an actual web page and can be moved on top of the page that you are logging on to, so if you have any questions or suspicions, move the form and drag it on top of the address bar to make sure: an imposter site won't pass that test.
I don't think this jeopardizes your computer's security, any more than any suspicious web site or download would, it's a way of stealing computer credentials, which is always a concern.
This isn't just a thought exercise, demonstration, or proof of concept: this has been found in the wild. It will be interesting to see how the 0Auth world responds to this. A friend and I wrote something like this to suck account credentials on a mini computer that students weren't logging out of back in the '80s. Simplicity itself. This is much more complicated to implement. There should be some way to trace where the stolen credentials go if an implementation is found.
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
A security researcher has figured out a very clever attack that negates 0Auth called BitB: Browser in the Browser. It uses a series of Cascading Styles Sheets (CSS) that presents a window that looks just like the 0Auth window that does a credential intercept, simulates a login fail, then produces a real login window. A lot of people will fall for that. And you can compromise your entire Google/whatever ecosystem.
The conventional protection methods of looking to see that you're on a HTTPS site and that the site is actually amazon.com instead of amazon.suspiciouswebsite.biz doesn't work. The thing that does is that the imposter 0Auth cannot be moved to on top of the address bar! A true 0Auth address display is an actual web page and can be moved on top of the page that you are logging on to, so if you have any questions or suspicions, move the form and drag it on top of the address bar to make sure: an imposter site won't pass that test.
I don't think this jeopardizes your computer's security, any more than any suspicious web site or download would, it's a way of stealing computer credentials, which is always a concern.
This isn't just a thought exercise, demonstration, or proof of concept: this has been found in the wild. It will be interesting to see how the 0Auth world responds to this. A friend and I wrote something like this to suck account credentials on a mini computer that students weren't logging out of back in the '80s. Simplicity itself. This is much more complicated to implement. There should be some way to trace where the stolen credentials go if an implementation is found.
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
no subject
Date: 2022-03-23 12:38 am (UTC)Hugs, Jon
no subject
Date: 2022-03-23 03:19 am (UTC)Well, yes and no. The sad truth is that if you are targeted, then you can be compromised. If you want information to be secure, then it must never be connected to a network: no WiFi card or Ethernet port and never plug in a USB drive. Period. Which greatly reduces its utility. And there are ways to read data off of such a computer.
no subject
Date: 2022-03-25 12:22 am (UTC)no subject
Date: 2022-03-23 01:37 am (UTC)no subject
Date: 2022-03-23 03:20 am (UTC)I do not remember that feature, but that would certainly be a good application of such!
no subject
Date: 2022-03-24 05:27 am (UTC)no subject
Date: 2022-03-24 05:33 am (UTC)Wow, that is sad. A Florida municipality screwed up a URL on a printed form: the URL was on the form twice and in one place it had a typo, someone swept up the bad URL and popped up a shop selling Trump merchandise. I think it was just a day or two ago on a different reply I said to a friend on LJ "This is why we can't have nice things online".
no subject
Date: 2022-03-27 03:23 am (UTC)It's not like the "check the URI" bit works particularly well in any case, because all of the marketing newsletters from everywhere runs all your clicks in their newsletter through a third party service to register that you clicked on something in the newsletter, and they don't provide you with bare URIs to copy and paste in, so I guess we're all hoping that the ad servers and services never get compromised and used to serve malware.
no subject
Date: 2022-03-27 04:48 am (UTC)I have, on a couple of occasions, used a third-party service like my Gmail account to authorize a service, but that was a long time ago and I won’t be doing it anymore! I don’t like central points of vulnerability.