Quote:
Originally Posted by Vendot
Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).
Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.
|
You're not getting it.
If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session. There is only the 2FA challenge once, at login; every subsequent load will present some sort of session identifier, in the URL, or a cookie. Since you're going via the phish site, they can capture that session identifier, and now they own your session.
Then it's as simple as printing a "we were wrong, apologies for the inconvenience," with a fake logout button, to make the user go away (remember they're responding to a notice about their domain, not just routinely logging in to do something else.) Phish site still owns the active session and can do anything with your account that does not require another 2FA challenge.