If Alice had Two-Factor authentication setup Eve can merely request a verification code from Alice as part of the login request. ![]() Alice enters her username and password and is then allowed into the site.Įve wants to steal Alice’s password so she setups up a website as above but in step 3 Alice is sent to a fake, but realistic looking gmail login page.Īlice just gave her username and password away.Įve can interactively check if Alice’s provided a real username/password by supplying it to Gmail to see if it works.Alice clicks ‘authenticate with Google’ and is taken to a Google accounts login screen.To access the content Website requires that Alice authenticates with her Google account before making a purchase.Alice goes to a site that appears to have content that Alice wants.If they are not logged into their Google account already it will ask them to login 1. Websites will often allow users to authenticate with their google account using OAuth. These attacks are almost definitely not novel and are probably used in the wild.Ĭompare these attacks to typical advice on preventing phishing. I will argue this point by first showing two phishing attacks which would probably fool a fairly sophisticated computer user. This post argues that by using a browser plugin to customize login pages on the client, attacks will have significantly greater difficulty forging believable login pages. Password phishing attacks have been going on for over 25 years and the situation has only gotten worse. Gmail has just been chosen to play the victim only due to it’s popularity and general bestness. Why Google Should Customize your Gmail Login Page to Prevent Phishing.ĭisclaimer: The following post is uses Gmail and Google Accounts as a punching bag, but these problems discussed are both widely known, universal to identity providers on the web and not Google’s fault.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |