|
|
|
|
|
|
by mastersplinter
462 days ago
|
|
|
I like “phishing passkey protected accounts”. I'm not sure I understand what you mean here with:
> I’m not going to reach for my phone to scan the QR The whole point of the attack is that it can be delivered without you having to scan the QR code, exploiting the fact that browsers allowed (patched) navigation to fido:/ links, initiating the BLE communication to a malicious device that is relaying the communication to the legitimate site, stealing a session. Let me know if that clears up the confusion. As for phishing resistant/ phishing proof, to some is the same thing, nothing is "anything"-proof so I did not pay too much attention to the wording. Also I just wanted to stress the fact that although some theorized attacks were present, I had not seen anything put in practice before, which is what motivated me to prove it was not impossible. Thanks for the feedback, will be making changes to the blog to clear up some the the things you have outlined here :) |
|
|