Broad statement KLAXXON
https://twitter.com/taviso/status/1082015009348104192 …
Yes, I'm aware they (falsely) claim they solve phishing. That is not accurate. Phishing works using real authorized devices, so verifying it was signed makes no sense; it's pretty scary they don't realize this.
-
-
1. User visits fakesite, fakesite proxies realsite 2. User logs in, fakesite forwards login to realsite 3. realsite initiates push request to users device 4. User confirms they are trying to login 5. realsite cryptographically verifies confirmation 6. Phisher is authenticated.
-
See the original tweet for a demo with SMS 2FA, just imagine a push request instead of SMS and the same attack works.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
