Threads for pvachon
-
Variants of this have been talked about for years, of course, going back to [1] in 1997 (a minor result in this case) and later in 2007 [2] showing this kind of trickery simulating window chrome in the browser. H/T to Steve Bellovin for digging these references out!
Hardware tokens seem like a silver bullet, but they pose their own UI/UX challenges, and not to mention the need for a workflow when people lose or forget the token… usually the part attackers would abuse.
For a very sophisticated attack, remember that the token itself does not know who it is talking to. If you know the rpId for a site and the key handle for a user’s enrolment, then subvert the browser’s controls… you can get the authenticator to sign any challenge. Hopefully that is a high enough bar to keep that out of the more mainstream realm though.
Still, bring on the hardware tokens and platform authenticators, it’s the best solution we have.
[1] https://www.drewdean.net/papers/spoofing.pdf [2] https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf
My personal favourite is dcraw, a tool for camera raw photo processing. It’s 10,000+ lines of C, contains redefinitions of macros and makes extensive reuse of shared static buffers and such for various purposes.