Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Angostura 9 days ago

I read this sentence 4 times and I still can't parse it:

> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.

antirez 9 days ago | parent [-]

Because the sentence makes no sense, but what the author wanted to say was:

- You are in front of the attacker site that looks like a legitimate site where you have an account (you arrived there in any way: Whatsapp link, SMS, email, whatever). Probably the address bar of your browser shows something like microsoft.minecraft-softwareupdate.com or something alike, but the random user can't tell it's fake. The page asks you to login (in order to steal your account).

- You enter the email address to login. They enter your email address in the legitimate site where you actually have an account.

- Legitimate site (for example Microsoft) sends you an email with a six digit code, you read the code, it looks legit (it is legit) and you enter it in the attacker site. They can now login with your account.

kenjackson 9 days ago | parent | next [-]

I read it as just some web page that was bad, but not necessarily imitating a good sits. For example some new gaming forum that pops up, which is bad, but uses the gaming forum to get people to send them six digit codes which they use for whatever sites they see fit. Then the people who run the gaming forum are now stealing your Etsy account.

trinix912 9 days ago | parent | prev [-]

I think one can also understand it as the attacker being the one to enter the email first.

> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.

Replace "can simply send your email address" with "can simply input your email address". An attacked inputs your email at login.example.com, which sends a code to your email. The attacker then prompts you for that code (ex. via a phishing sms), so you pass them the code that lets them into the account.