| ▲ | totallykvothe 9 days ago |
| I'm having difficulty understanding what it means for an attacker to "send your email to a legitimate service"... |
|
| ▲ | tczMUFlmoNk 9 days ago | parent | next [-] |
| I think this means: 1. You go to evil.example.com, which uses this flow. 2. It prompts you to enter your email. You do so, and you receive a code. 3. You enter the code at evil.example.com. 4. But actually what the evil backend did was automated a login attempt to, like, Shopify or some other site that also uses this pattern. You entered their code on evil.example.com. Now the evil backend has authenticated to Shopify or whatever as you. |
| |
| ▲ | bscphil 9 days ago | parent [-] | | The site is comparing this method to plain username + password though. Doesn't that miss the obvious point that evil.example.com could do the exact same thing with the username + password method, except it's even easier to phish because they just get your username + password directly (when you type them in) and then an attacker can log in as you via a real browser? | | |
| ▲ | druskacik 9 days ago | parent [-] | | evil.example.com can be a legitimate-looking website (e.g. a new tool a person might want to try). If it has a login with email code, it can try to get the code from a different website (e.g. aforementioned Shopify). For the username + password hack to work, the evil.example.com would have to look like Shopify, which is definitely more suspicious than if it's just a random legitimate-looking website. |
|
|
|
| ▲ | anonymars 9 days ago | parent | prev | next [-] |
| I assume it's a phishing scenario, given the note about password managers. Evil site spoofs the login page, and when you attempt to log in to the malicious site, it triggers an attempt from the real site, which will duly pass you a code, which you unwittingly put into the malicious site |
| |
| ▲ | LoganDark 9 days ago | parent [-] | | TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator. | | |
| ▲ | eddythompson80 9 days ago | parent | next [-] | | They are, which is one major issue with TOTP and most current MFA methods. There is an implicit assumption that you only get the full benefit if your usi g a password manager. 1. A password manager shouldn't be vulnerable to putting your password in a phishing site. 2. If your password is leaked, an attacker can't use it without the TOTP. Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough) Passkeys assume/require the use of a password manager (called a "passkey provider") | | |
| ▲ | LoganDark 9 days ago | parent [-] | | Passkeys do largely solve this issue. I love to use them whenever I can. |
| |
| ▲ | anonymars 9 days ago | parent | prev [-] | | Sure, but you would have needed to input a password first, which autofill wouldn't have put into a spoofed site |
|
|
|
| ▲ | 9 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | tombds 9 days ago | parent | prev | next [-] |
| Man in the middle attack basically. |
| |
|
| ▲ | 9 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | 9 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | RamRodification 9 days ago | parent | prev | next [-] |
| It's a constant small annoyance in my life that "email" can mean either * Electronic mail (the technology) * An email message * An email address * An email inbox In this example they mean email address. |
|
| ▲ | gethly 9 days ago | parent | prev [-] |
| It means that you go to foo.com and enter your e-mail to sign up. But foo.com routes that request and to bank.com, hoping you have an account there. bank.com sends you verification email, which you expect from foo.com as part of the sign-up verification process. For some bat shit crazy reason, you ignore that the email came from bank.com and not foo.com and you type in the secret code from the email into the foo.com to complete the sign up process. And bam! the foo.com got into your bank account. A complete nonsense but because it works in 0.000000000000001% of the time for some crazy niche cases in the real world, let's talk about it. |
| |
| ▲ | ascorbic 9 days ago | parent [-] | | The evil site usually says something like "enter the code from our identity partner x" or something, which is a lot more believable when it's a service like Microsoft that does provide services like that. | | |
|
