• ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    Does this rely on the user typing in their password, or does somehow even the browser fall for it and autofill it?

    Because in that case, to respond to OP: Firefox is not vulnerable to this, but most users themselves are. Using a password manager like Bitwarden would help, because if you add the website’s real URL to your password entey (happens automatically for the current URL at password entry creation), bitwarden will simply just not show your password entry when the URL does not match.

    Also, install uBlock Origin and turn on it’s phising blocklists in the settings. It can be helpful.

    • Godort@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      An attack using this tool does require that the user actually logs in, but because they’re just acting as a proxy for the real login page, the only way you’d spot the difference is if the URL doesn’t match (or that your password manager doesn’t auto-fill)

      However, it’s pretty easy to see that someone would be fooled by that as you’d expect to need to confirm your identity when adding a gift card to your steam account.