Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not always. With 2FA a key-logger isn't enough, since the 2nd factor can't be replayed. A valid session cookie might be enough, though.


Depends how the encryption works - you only need to compute the cookie database key once.

Of course, regardless of what they do, you could probably just run a quick Frida (https://frida.re/) script to patch into Chrome and dump the key to disk when the decryption function is called.

From the 10 immutable laws of security: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.


Replayed later no, but a naive TOTP implementation will likely allow you to reuse an code more than once as long as you log in within the 30-second x N-lookback window.


Capture a token, use it yourself, and show the user an error so they generate a new token.


I forgot to bookmark the link, but I think I read someone cracking the TOTP secret from a couple OTPs with their timestamps known.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: