Services that only sign you in with phone number and an one time code combined with Apple's "complete from text message" make for some interesting attack vectors. If you visit another website for sign-up they could MITM the token and due to auto complete you're unlikely to notice
-
-
Somewhere in the back of my mind I seem to recall reading about some checks to avoid such issues (keeping a metadata-whitelist to associate known senders/messages with websites?), but I might remember that wrong.
@rmondello can probably assess.https://twitter.com/rmondello/status/1185596499817713669 …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Hmm are those tokens not single-use?
-
After you're signed in you can do a lot.
- Još 1 odgovor
Novi razgovor -
-
-
Optimist: Apple pushes for a industry standard SMS-friendly signature/HMAC system and only fills for apps/sites that validate. Client side MITM becomes significantly harder for everyone. Realist: “Introducing iMessage MFA”
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
I know.
- “MITM.”