undefined | Better HN

0 pointstotallykvothe10mo ago0 comments

I'm having difficulty understanding what it means for an attacker to "send your email to a legitimate service"...

0 comments

9 comments · 5 top-level

tczMUFlmoNk10mo ago· 1 in thread

I think this means:

1. You go to evil.example.com, which uses this flow.

2. It prompts you to enter your email. You do so, and you receive a code.

3. You enter the code at evil.example.com.

4. But actually what the evil backend did was automated a login attempt to, like, Shopify or some other site that also uses this pattern. You entered their code on evil.example.com. Now the evil backend has authenticated to Shopify or whatever as you.

bscphil10mo ago

The site is comparing this method to plain username + password though. Doesn't that miss the obvious point that evil.example.com could do the exact same thing with the username + password method, except it's even easier to phish because they just get your username + password directly (when you type them in) and then an attacker can log in as you via a real browser?

1 more reply

anonymars10mo ago· 1 in thread

I assume it's a phishing scenario, given the note about password managers. Evil site spoofs the login page, and when you attempt to log in to the malicious site, it triggers an attempt from the real site, which will duly pass you a code, which you unwittingly put into the malicious site

LoganDark10mo ago

TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator.

2 more replies

tombds10mo ago· 1 in thread

Man in the middle attack basically.

bobmcnamara10mo ago

Confused deputy is you?

gethly10mo ago· 1 in thread

It means that you go to foo.com and enter your e-mail to sign up. But foo.com routes that request and to bank.com, hoping you have an account there.

bank.com sends you verification email, which you expect from foo.com as part of the sign-up verification process. For some bat shit crazy reason, you ignore that the email came from bank.com and not foo.com and you type in the secret code from the email into the foo.com to complete the sign up process.

And bam! the foo.com got into your bank account.

A complete nonsense but because it works in 0.000000000000001% of the time for some crazy niche cases in the real world, let's talk about it.

ascorbic10mo ago

The evil site usually says something like "enter the code from our identity partner x" or something, which is a lot more believable when it's a service like Microsoft that does provide services like that.

1 more reply

RamRodification10mo ago

It's a constant small annoyance in my life that "email" can mean either

* Electronic mail (the technology)

* An email message

* An email address

* An email inbox

In this example they mean email address.

j / k navigate · click thread line to collapse

0 comments

9 comments · 5 top-level

tczMUFlmoNk10mo ago· 1 in thread

I think this means:

1. You go to evil.example.com, which uses this flow.

2. It prompts you to enter your email. You do so, and you receive a code.

3. You enter the code at evil.example.com.

bscphil10mo ago

1 more reply

anonymars10mo ago· 1 in thread

LoganDark10mo ago

TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator.

2 more replies

tombds10mo ago· 1 in thread

Man in the middle attack basically.

bobmcnamara10mo ago

Confused deputy is you?

gethly10mo ago· 1 in thread

It means that you go to foo.com and enter your e-mail to sign up. But foo.com routes that request and to bank.com, hoping you have an account there.

And bam! the foo.com got into your bank account.

A complete nonsense but because it works in 0.000000000000001% of the time for some crazy niche cases in the real world, let's talk about it.

ascorbic10mo ago

1 more reply

RamRodification10mo ago