
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 2022-05-31 21:44, Nat Sakimura via

      Openid-specs-fapi wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAJcjuEKH7eeJhUORDJ4Qi-y2D=-sTCZ0+ZB3vhuj4OnLH78wJA@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">One of the things that I did not adequately address

        when designing FAPI 1.0 is the Browser User Interface Hijack

        attack. This is happening in real life. In this attack, the

        attacker hijacks the user interface of the consumption device

        and rewrites the user interface so that the attacker can obtain

        a false authorization, e.g., changing the account number to

        which money is being sent on the user interface. The user thinks

        that it is a legitimate payment to someone he intends, but the

        actual payment message is saying that it will go to the

        attacker. 

        <div><br>

        </div>

        <div>If we address this, perhaps could it be a compelling enough

          "feature" that implementation may want to upgrade? </div>

        <div><br>

        </div>

        <div>BTW, this will likely require multi-device authorization

          with independent U/I generation mechanisms. Multi-device with

          the same browsers with synchronized plug-ins probably will not

          work. <br>

        </div>

      </div>

    </blockquote>

    <br>

    Isn't this addressed by W3C's Secure Payment Confirmation available

    in Chromium-based browsers?<br>

    <br>

    Thanx,<br>

    Anders<br>

    <br>

    <blockquote type="cite"

cite="mid:CAJcjuEKH7eeJhUORDJ4Qi-y2D=-sTCZ0+ZB3vhuj4OnLH78wJA@mail.gmail.com">

      <div dir="ltr">

        <div>

          <div><br>

          </div>

          <div>Cheers, </div>

          <div>-- <br>

            <div dir="ltr" class="gmail_signature"

              data-smartmail="gmail_signature">

              <div dir="ltr">Nat Sakimura

                <div>FAPI WG Co-chair</div>

              </div>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="moz-mime-attachment-header"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Openid-specs-fapi mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a>

<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>