undefined | Better HN

0 pointsvanviegen1y ago0 comments

Wouldn't that just log you in on the browser doing the clicking, instead of the attackers browser?

0 comments

You mean in the booking example? They logged in the browser that... requested access. So basically anyone that knew your login/email.

I think it should check if browser requesting is the same as the one confirming, or just drop that whole dumb mechanism entirely.

j / k navigate · click thread line to collapse

0 pointsvanviegen1y ago0 comments

Wouldn't that just log you in on the browser doing the clicking, instead of the attackers browser?

You mean in the booking example? They logged in the browser that... requested access. So basically anyone that knew your login/email.

I think it should check if browser requesting is the same as the one confirming, or just drop that whole dumb mechanism entirely.

j / k navigate · click thread line to collapse