Hacker News new | past | comments | ask | show | jobs | submit login

I don't see how CSRF tokens apply here. They can login as you on another machine.



You did not read the parent comment. They cannot (or should not) be able to forward the login to Google's real form and trigger SMS 2FA because the real form should be protected by CSRF tokens.


No, CSRF isn't relevant. I'm an attacker and I have a server that's pretending to be a Google login form. I also have a client computer with a scripted browser pretending to be someone trying to login to Google. When you come to my page and login, I steal your data and immediately have my client program use it to login. If Google asks my client browser for a 2FA code, behind the scenes I forward that request to you and then when you answer, I forward the answer back to Google. From what Google can see, it just looks like someone logging in from a new computer.

None of this has anything to do with cross-site scripting. It's a MITM attack. CSRF doesn't come into play.


That's not what CSRF protects against and neither is it meant to. CSRF happens when you try to submit a form hosted on your site to a target site that the user has already authenticated to.

Here, the real form can be accessed from the attacker's browser, not the victim's, hence the attacker knows the CSRF tokens. CSRF doesn't protect against phishing.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: