![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
A browser password phishing scheme that can fool the security savvy
There's something called 0Auth. It was designed to allow you to sign on to your Google/Apple/Microsoft account - which could be secured with 2FA - and that would pass a security token upstream to whatever account that you're on saying "Hey, this person is A-Okay!" and you'd be in. Or you create another set of web site credentials to maintain specific to that site.
A security researcher has figured out a very clever attack that negates 0Auth called BitB: Browser in the Browser. It uses a series of Cascading Styles Sheets (CSS) that presents a window that looks just like the 0Auth window that does a credential intercept, simulates a login fail, then produces a real login window. A lot of people will fall for that. And you can compromise your entire Google/whatever ecosystem.
The conventional protection methods of looking to see that you're on a HTTPS site and that the site is actually amazon.com instead of amazon.suspiciouswebsite.biz doesn't work. The thing that does is that the imposter 0Auth cannot be moved to on top of the address bar! A true 0Auth address display is an actual web page and can be moved on top of the page that you are logging on to, so if you have any questions or suspicions, move the form and drag it on top of the address bar to make sure: an imposter site won't pass that test.
I don't think this jeopardizes your computer's security, any more than any suspicious web site or download would, it's a way of stealing computer credentials, which is always a concern.
This isn't just a thought exercise, demonstration, or proof of concept: this has been found in the wild. It will be interesting to see how the 0Auth world responds to this. A friend and I wrote something like this to suck account credentials on a mini computer that students weren't logging out of back in the '80s. Simplicity itself. This is much more complicated to implement. There should be some way to trace where the stolen credentials go if an implementation is found.
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
A security researcher has figured out a very clever attack that negates 0Auth called BitB: Browser in the Browser. It uses a series of Cascading Styles Sheets (CSS) that presents a window that looks just like the 0Auth window that does a credential intercept, simulates a login fail, then produces a real login window. A lot of people will fall for that. And you can compromise your entire Google/whatever ecosystem.
The conventional protection methods of looking to see that you're on a HTTPS site and that the site is actually amazon.com instead of amazon.suspiciouswebsite.biz doesn't work. The thing that does is that the imposter 0Auth cannot be moved to on top of the address bar! A true 0Auth address display is an actual web page and can be moved on top of the page that you are logging on to, so if you have any questions or suspicions, move the form and drag it on top of the address bar to make sure: an imposter site won't pass that test.
I don't think this jeopardizes your computer's security, any more than any suspicious web site or download would, it's a way of stealing computer credentials, which is always a concern.
This isn't just a thought exercise, demonstration, or proof of concept: this has been found in the wild. It will be interesting to see how the 0Auth world responds to this. A friend and I wrote something like this to suck account credentials on a mini computer that students weren't logging out of back in the '80s. Simplicity itself. This is much more complicated to implement. There should be some way to trace where the stolen credentials go if an implementation is found.
https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
no subject
Well, yes and no. The sad truth is that if you are targeted, then you can be compromised. If you want information to be secure, then it must never be connected to a network: no WiFi card or Ethernet port and never plug in a USB drive. Period. Which greatly reduces its utility. And there are ways to read data off of such a computer.
no subject