Skip to Content.
Sympa Menu

assurance - Re: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

Re: [Assurance] can two-factor be hacked ?


Chronological Thread 
  • From: David Langenberg <>
  • To: "" <>
  • Subject: Re: [Assurance] can two-factor be hacked ?
  • Date: Fri, 7 Mar 2014 15:19:21 -0700

Sure, take Mr Bear Bucks JS, package it up into a .crx and upload to the Google Chrome Web Store

Docs:

Getting someone to use the new extension is as simple as a link to the app on the web-store.  If the browser can display it, you can mess with it.  Some popular ones you may have heard of include AdBlock and SocialFixer.  Yes, updates to the enterprise app will break your thing, but it's easy to push updates out.

As for lazy users, I've noticed that once they see how they can be even more lazy with your extension, that will quickly overcome the too-lazy-to-install factor.

Dave



On Fri, Mar 7, 2014 at 3:08 PM, Farmer, Jacob <> wrote:

Dave,

 

That sounds like an interesting idea – do you mind expanding on it a bit?

 

Jacob

 

From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 07, 2014 5:06 PM
To:
Subject: Re: [Assurance] can two-factor be hacked ?

 

Even if you start chasing addresses & blacklisting proxies they'll just escalate to my favorite way of handling enterprise apps which have dumb UI issues & committees who refuse to implement common-sense suggestions: the browser extension.  

 

Dave

 

On Fri, Mar 7, 2014 at 2:31 PM, Cantor, Scott <> wrote:

On 3/7/14, 4:27 PM, "Steven Carmody" <> wrote:
>
>The _javascript_ runs completely within the server platform. That's
>something that's new....

Or old, as the case may be. Proxies are really only defeatable in the
usual ways. If they're screen scraping, then you can have an arms race
implementing anti-scraping tricks, but that goes away as soon as you
support something like, say, ECP or Moonshot, that's implementing a
non-browser UI for authentication.

So that leaves chasing addresses, and blacklisting proxies when you find
them.


>As  you say, *should*. However, if its identical to the application's
>login page, then the user would have to look at the url bar... does
>anyone know of anything that could be embedded in the real page, but not
>duplicated in the fake page ?

Nothing I can imagine.

-- Scott



 

--
David Langenberg

Identity & Access Management

The University of Chicago




--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page