To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
-
This Tweet is unavailable.
-
This Tweet is unavailable.
-
I think push tokens are equally vulnerable, unless you mean the user might verify the ip address doesn't match? They might, but it's hard to imagine how phishable users can't verify the origin but can verify the ip.
1 reply 1 retweet 6 likes
Replying to @taviso @infosecspy
The flow I think you're talking about is: I login to a http://fakesite.com , then I get a push notification from http://realsite.com . I think I'm logging into http://realsite.com (even though I'm not), so click "Allow".
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.