[Openid-specs-fapi] Addressing "User Inteface Hijack attack" in FAPI 2?
Anders Rundgren
anders.rundgren.net at gmail.com
Wed Jun 1 04:48:54 UTC 2022
On 2022-05-31 21:44, Nat Sakimura via Openid-specs-fapi wrote:
> One of the things that I did not adequately address when designing FAPI 1.0 is the Browser User Interface Hijack attack. This is happening in real life. In this attack, the attacker hijacks the user interface of the consumption device and rewrites the user interface so that the attacker can obtain a false authorization, e.g., changing the account number to which money is being sent on the user interface. The user thinks that it is a legitimate payment to someone he intends, but the actual payment message is saying that it will go to the attacker.
>
> If we address this, perhaps could it be a compelling enough "feature" that implementation may want to upgrade?
>
> BTW, this will likely require multi-device authorization with independent U/I generation mechanisms. Multi-device with the same browsers with synchronized plug-ins probably will not work.
Isn't this addressed by W3C's Secure Payment Confirmation available in Chromium-based browsers?
Thanx,
Anders
>
> Cheers,
> --
> Nat Sakimura
> FAPI WG Co-chair
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220601/3d53167f/attachment.html>
More information about the Openid-specs-fapi
mailing list