Ceev faj, Tus Password Pop-Up tuaj yeem dag

Cov txheej txheem:

Ceev faj, Tus Password Pop-Up tuaj yeem dag
Ceev faj, Tus Password Pop-Up tuaj yeem dag
Anonim

Key Takeaways

  • Tus kws tshawb fawb txog kev nyab xeeb tau tsim ib txoj hauv kev los tsim kev ntseeg siab tab sis fake ib leeg kos npe nkag rau hauv pop-ups.
  • Cov pop-ups cuav siv cov URLs raug cai kom tshwm sim ntxiv.
  • Qhov ua kom yuam kev qhia tias tib neeg siv tus password ib leeg yuav raug nyiag lawv daim ntawv pov thawj sai lossis tom qab, ceeb toom cov kws tshaj lij.
Image
Image

Navigating the web is get trickier every day.

Ntau lub vev xaib niaj hnub no muaj ntau yam kev xaiv los tsim ib tus account. Koj tuaj yeem sau npe nrog lub vev xaib, lossis siv ib qho kev kos npe rau (SSO) kev nkag mus rau hauv lub vev xaib siv koj cov nyiaj uas twb muaj lawm nrog cov tuam txhab muaj koob npe zoo li Google, Facebook, lossis Apple. Tus kws tshawb fawb txog kev nyab xeeb hauv cybersecurity tau nqis peev rau qhov no thiab tsim cov txheej txheem tshiab los nyiag koj cov ntawv pov thawj nkag los ntawm kev tsim lub qhov rais nkag tsis tau zoo SSO tsis raug cai.

"Kev muaj koob meej ntawm SSO muab ntau yam txiaj ntsig rau [neeg]," Scott Higgins, Tus Thawj Coj ntawm Engineering ntawm Dispersive Holdings, Inc hais rau Lifewire hauv email. "Txawm li cas los xij, tam sim no cov hackers ntse tab tom siv kom zoo dua ntawm txoj hauv kev no."

Fake Login

Kev lig kev cai, cov neeg tawm tsam tau siv cov tswv yim zoo li homograph tawm tsam uas hloov qee cov ntawv hauv qhov URL qub nrog cov cim zoo sib xws los tsim cov tshiab, nyuaj-rau-qhov chaw siab phem URLs thiab nplooj ntawv nkag tsis raug.

Txawm li cas los xij, lub tswv yim no feem ntau poob sib nrug yog tias tib neeg ua tib zoo tshuaj xyuas qhov URL. Kev lag luam cybersecurity tau qhia ntev rau tib neeg kom kuaj xyuas qhov URL bar kom paub tseeb tias nws teev qhov chaw nyob zoo, thiab muaj lub xauv ntsuab nyob ib sab ntawm nws, uas qhia tias lub vev xaib ruaj ntseg.

"Txhua yam no thaum kawg ua rau kuv xav, nws puas tuaj yeem ua rau 'Kuaj URL' cov lus qhia tsis tshua muaj kev ntseeg siab? Tom qab ib lub lim tiam ntawm kev tawm tswv yim kuv txiav txim siab tias cov lus teb yog yog," sau tus kws tshawb fawb tsis qhia npe uas siv tus pseudonym, mr.d0x.

Kev tawm tsam mr.d0x tsim, muaj npe browser-hauv-tus-browser (BitB), siv peb qhov tseem ceeb hauv tsev thaiv ntawm lub vev xaib-HTML, cascading style nplooj ntawv (CSS), thiab JavaScript-los ua khoom cuav SSO pop-up qhov rais uas yog qhov tseem ceeb tsis paub qhov txawv ntawm qhov tseeb.

"Qhov URL cuav tuaj yeem muaj txhua yam nws xav tau, txawm tias zoo li qhov chaw siv tau. Tsis tas li ntawd, kev hloov kho JavaScript ua rau nws txav mus rau ntawm qhov txuas, lossis khawm nkag nkag yuav tshwm rau qhov zoo li URL lo lus uas siv tau zoo li," ntxiv Higgins tom qab kuaj xyuas Mr. d0x's mechanism.

Yuav ua kom pom BitB, mr.d0x tsim ib qho cuav version ntawm online graphic design platform, Canva. Thaum ib tug neeg nias nkag mus rau hauv lub vev xaib cuav uas siv qhov kev xaiv SSO, lub vev xaib pops li BitB crafted login qhov rai nrog qhov chaw nyob raug cai ntawm tus neeg muab kev pabcuam SSO spoofed, xws li Google, kom ntxias tus qhua nkag mus rau lawv cov ntawv pov thawj nkag, uas yog ces xa mus rau cov neeg tawm tsam.

Cov txheej txheem tau ua rau ntau tus neeg tsim lub vev xaib txaus siab. "Ooh qhov tsis zoo: Browser Hauv Browser (BITB) Attack, tus txheej txheem phishing tshiab uas tso cai rau kev nyiag cov ntaub ntawv pov thawj uas txawm tias tus kws tshaj lij hauv lub vev xaib tsis tuaj yeem ntes," François Zaninotto, CEO ntawm lub vev xaib thiab lub tuam txhab txhim kho mobile Marmelab, tau sau rau hauv Twitter.

Nco koj mus qhov twg

Thaum BitB muaj kev ntseeg ntau dua li khiav-ntawm-tus-mill fake login windows, Higgins tau qhia ob peb lub tswv yim uas tib neeg tuaj yeem siv los tiv thaiv lawv tus kheej.

Rau pib, txawm hais tias BitB SSO pop-up qhov rai zoo li qhov raug cai pop-up, nws yeej tsis yog. Yog li ntawd, yog tias koj rub qhov chaw nyob bar ntawm qhov pop-up thiab sim rub nws, nws yuav tsis txav mus dhau ntawm ntug ntawm lub vev xaib tseem ceeb lub qhov rais, tsis zoo li lub qhov rais pop-up tiag tiag uas yog ywj pheej thiab tuaj yeem txav mus rau ib qho twg. ib feem ntawm lub desktop.

Higgins qhia tias kev sim qhov raug cai ntawm SSO qhov rai uas siv cov qauv no yuav tsis ua haujlwm ntawm lub xov tooj ntawm tes."Qhov no yog qhov [multi-factor authentication] lossis siv cov kev xaiv passwordless authentication tuaj yeem pab tau tiag tiag. Txawm hais tias koj tau poob qis rau BitB nres, [cov neeg dag ntxias] yuav tsis tas yuav muaj peev xwm [siv koj daim ntawv pov thawj raug nyiag] yam tsis muaj lwm feem ntawm MFA kev nkag mus niaj hnub, "hais tias Higgins.

internet tsis yog peb tsev. Nws yog qhov chaw pej xeem. Peb yuav tsum xyuas seb peb mus saib dab tsi.

Kuj, txij li nws yog lub qhov rais nkag tsis raug, tus thawj tswj tus password (yog tias koj siv ib qho) yuav tsis cia li sau rau hauv daim ntawv pov thawj, rov muab rau koj ncua kom pom qee yam tsis raug.

Nws tseem ceeb heev uas yuav tsum nco ntsoov tias thaum BitB SSO pop-up nyuaj rau pom, nws tseem yuav tsum tau pib los ntawm qhov chaw phem. Txhawm rau pom qhov pop-up zoo li no, koj yuav tsum tau mus rau ntawm lub vev xaib cuav.

Qhov no yog vim li cas, tuaj puv lub voj voog, Adrien Gendre, Chief Tech thiab Product Officer ntawm Vade Secure, qhia tias tib neeg yuav tsum saib URLs txhua zaus lawv nyem qhov txuas.

"Ib yam uas peb tshawb xyuas tus lej ntawm lub qhov rooj kom paub tseeb tias peb mus rau hauv chav tsev so zoo, tib neeg yuav tsum ceev ceev saib URLs thaum mus saib lub vev xaib. Internet tsis yog peb lub tsev. Nws yog qhov chaw pej xeem. Peb yuav tsum xyuas seb peb mus saib dab tsi, " stressed Gendre.

Pom zoo: