The token could be made only usable by the cli process that asked for it (should... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dinosaurdynasty on Dec 1, 2022 \| parent \| context \| favorite \| on: Making unphishable 2FA phishable The token could be made only usable by the cli process that asked for it (should be really).

Thorrez on Dec 2, 2022 [–]

Yes, but that doesn't stop this attack.

1. Attacker runs the cli process to generate the URL

2. Attacker sends the URL to the victim saying "as a second factor verification, you need to copy this code into this form"

3. Victim does it

4. Attacker enters the code into the original cli process

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact