[Openid-specs-fapi] Addressing "User Inteface Hijack attack" in FAPI 2?
Nat Sakimura
nat at nat.consulting
Tue May 31 19:44:38 UTC 2022
One of the things that I did not adequately address when designing FAPI 1.0
is the Browser User Interface Hijack attack. This is happening in real
life. In this attack, the attacker hijacks the user interface of the
consumption device and rewrites the user interface so that the attacker can
obtain a false authorization, e.g., changing the account number to which
money is being sent on the user interface. The user thinks that it is a
legitimate payment to someone he intends, but the actual payment message is
saying that it will go to the attacker.
If we address this, perhaps could it be a compelling enough "feature" that
implementation may want to upgrade?
BTW, this will likely require multi-device authorization with independent
U/I generation mechanisms. Multi-device with the same browsers with
synchronized plug-ins probably will not work.
Cheers,
--
Nat Sakimura
FAPI WG Co-chair
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220601/03d71360/attachment.html>
More information about the Openid-specs-fapi
mailing list