a subdomain takeover on a site that uses a widely scoped cookie for an authenticated session, for example, which happened to Uber last year.
-
-
didn't mean to dodge so much as try to diplomatically say that I agree that there some limitations to the value prop around the browser/cookie protections but that there are other use cases, like SSO and native OAuth/API, that can benefit
-
and that even when there are other attack vectors, I believe there's still value in enabling a cookie to be bound to a client generated asymmetric key because it does prevent the cookie from being used successfully in a different context without also getting the key
- 11 more replies
New conversation -
-
-
I think subdomain takeover is actually a much bigger threat than many ppl realize. IIRC
@hanno has some nice work on this. Seehttps://twitter.com/hanno/status/1021350234117599234 … -
I asked Ryan about it, subdomain takeover has the same problem, you could just serve some js that does your attack instead of steal cookie then attack from your machine. I think this is another "why not just use the vector you used to get the cookie in the first place"?
- 35 more replies
New conversation -
-
-
Agree on all the accounts. Said that subdomain takeover is less niche than imagine
-
I realized after this tweet that Token Binding doesn't solve subdomain takeover. The only example attack I've heard that does seem sound is accidental passive leak of cookies into logfiles.
- 3 more replies
New conversation -
-
-
A good argument can be made that Microsoft and their services need this feature more than the industry as a whole does. If you lack the capacity to account for these aforementioned scenarios without token binding, then compensating with token binding would make a lot of sense.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.