Behold, a password phishing site that can trick even savvy users

6 months ago 30

When we thatch radical however to debar falling unfortunate to phishing sites, we usually counsel intimately inspecting the code barroom to marque definite it does incorporate HTTPS and that it doesn’t incorporate suspicious domains specified arsenic google.evildomain.com oregon substitute letters specified arsenic g00gle.com. But what if idiosyncratic recovered a mode to phish passwords utilizing a malicious tract that didn’t incorporate these telltale signs?

One researcher has devised a method to bash conscionable that. He calls it a BitB, abbreviated for "browser successful the browser." It uses a fake browser model wrong a existent browser model to spoof an OAuth page. Hundreds of thousands of sites usage the OAuth protocol to fto visitors login utilizing their existing accounts with companies similar Google, Facebook, oregon Apple. Instead of having to make an relationship connected the caller site, visitors tin usage an relationship that they already have—and the magic of OAuth does the rest.

Exploiting trust

The photograph editing tract Canva, for instance, gives visitors the enactment to login utilizing immoderate of 3 communal accounts. The images beneath amusement what a idiosyncratic sees aft clicking the "sign in" button; pursuing that, the representation amusement what...

Read Entire Article