-
Notifications
You must be signed in to change notification settings - Fork 0
Side Channel Matching
The owner of an account signs in using their email address or phone number. An email or SMS is sent. The message is opened, and the owner accepts the option to sign in.
But where are they signed in? In the window where they first entered the address? On the phone where they got the SMS rather than the PC where they were signing in?
If in the same window as the original sign-in form, there is a possibility for something like a phishing attack. The person who accepts the prompt to sign in may not be the same person operating the sign-in form. They might accept a prompt by accident, or be tricked, or not understand. And at that point the person operating the sign-in form would have complete control over their account settings.
How can the owner of the side channel be correlated with the person operating the sign-in form?
To correlate an SMS received on a phone with a browser session on a different computer, the message can contain a token for the user to enter into the sign-in form. For example, a four digit PIN. The message might say:
"To sign in, enter this number in your web session: 1234."
This is a pretty large amount of friction in terms of user experience. However it is quite secure.
The token could be made more user friendly. It might be two digits instead of four. But the basic hurdle is reasonably high.
If the confirmation request contains a link to open in a browser...
And the recipient opens the link in the same browser that was used to generate the sign-in request...
And the window opened from the confirmation request sets a cookie...
Then the cookie will also be set in the window that was used to generate the sign-in request.
Don't worry about it. It's not a problem yet.