undefined | Better HN

0 pointsrabite4y ago0 comments

With a non-HTTPS link, an attacker could trivially MITM the connection and forward it to a domain like id.hеrоku.com instead with a completely valid SSL cert with lock symbol. In case you can't realize, that domain is made up of unicode homoglyphs and would be nearly completely indistinguishable from the real heroku.com in some browsers. They could have a website resting on that domain that is indistinguishable from the normal heroku website and simply acts as a form proxy, relaying the real credentials provided by the user to the actual heroku website, performing the password reset successfully while storing the legitimate credentials permanently and additionally scraping the user's cookie to utilize their access to the panel post facto even if the user has 2FA authentication enabled. It's a monumental fuckup.

0 pointsrabite4y ago0 comments

0 comments

4 comments · 2 top-level

nomilk4y ago· 2 in thread

I certainly couldn't tell the difference, wow.. id.hеrоku.com and id.heroku.com look identical to me. I see the problem now.

How hard is it for an attacker to do a MITM? Would the attacker need physical access to the user's wifi router?

rabiteOP4y ago

pay for colocation with BGP access with a fake ID or compromise any BGP-announcing router in the entire world (I've found cisco routers with announce access, with default credentials, on networks that don't do any kind of prefix filtering many times before) and you can trivially MITM most any network in the world with very minimal impact. I recommend you watch to Kapela and Pilosov's talk from DEFCON 16 to see how easy it is: https://www.youtube.com/watch?v=oWdjsfsS_Do

or if you don't want to do it via BGP announcement you can just compromise any of the devices that are along the route between the client and the server. BGP is the rocket launcher of worldwide circuit compromise, but there's many other guns you can pick up

nomilk4y ago

Thanks for the recommendation, was very interesting. 14 years old though, things would have changed since, I hope?

1 more reply

ravel-bar-foo4y ago

The real problem is having a link in the email at all. How many readers will check to make sure the email is from a non-unicode domain and that an https link in the email goes to a non-unicode domain?

j / k navigate · click thread line to collapse