To all the people telling me this will never happen, and I should stop trash talking 2FA (TOTP, SMS, etc *not* U2F). Please read this, then kindly apologise. https://twitter.com/josephfcox/status/1075391745502924801 …
SSL has nothing to do with this, and it's not difficult at all, it's trivially easy - SMS 2FA, TOTP and HOTP are all bad solutions to phishing, because they're phishable. The linked article describes a successful attack.
-
-
What about actually implementing the token binding with u2f to prevent MITM ? The attack in the article is old hat anyways; all the cool kids are automating reverse proxies (why fake a site when you don’t have to or limit yourself to one set of credentials) and chrome telemetry
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I've suspected this for a while but couldn't find data at rates of susceptibility. Do you know if anyone has studied this? Not if it is possible, already sold on that, but at what rate will people fall for it vs a straight password phish?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.