sounds like he was simulating openid-connect flows by saying "login with Google" or "login with Facebook" and then storing the credentials entered which would be cleartext.
I always suspicious of these flows for specifically this reason. The flows are secure as long as you know you are talking to the correct identity provider, but I think most laymen would not understand that concept.
Gotta be careful with that too. If your password manager offers to auto-fill on the base domain - for example, *.google.com, it would be fooled by any phishing site hosted on google sites or google forms.
Wow, that seems like a huge security risk for Google that people can create phishing sites on their auth domain. I don’t think Google Forms allows login forms, but I’m surprised Google Sites would offer hosting on the primary Google domain.
Yes? This is unsurprising and doesn’t represent gross incompetence on the part of the victim. Computers are inscrutably hard to understand. Anyone that’s lost sight of that is in an echo chamber.
I'm not blaming the victims, but at the same time they will have seen several warnings from their browser indicating that the sites are unencrypted and not to send sensitive information.
LetsEncrypt cert? The domain could be something like amazon.freeewifi.com, it can have a username/password field and a text above it that says "enter your Google/Facebook/Amazon login", and the majority of users won't realize that this is a 3rd-party site. Experts like us might notice "That's not how 3rd party auth is supposed to work!", but the majority really won't know.
A few years ago I read a statistics that most (90%+) computer users just do things based on rote memorization of sequences of actions, not understanding what happens in the background. I wonder how it is nowadays.
Maybe AI that can "smell" if you're on a scammy site (e.g. prompts to enter your Google/FB/Amazon password) would be useful, but then again the implementation might end up being like MS's "let us record your screen, for AI!" horseshit..
I was imagining them trying to spoof an amazon.com domain using an evil dns server or something of that nature. That would be much harder to detect, but the cert is an issue.
I guess it's overcomplicating things, though. Most people will just not notice that whatever domain they use is not legit.
Amazon is also super sloppy with domains even when its legit. Working there I had to put my password into probably four or five tlds, and the onboarding process involved giving my SSN to an non amazon.com tld linked from an email that was from a different non amazon tld with a misconfigured cert that got it sent to spam by gmail and dotted with red rectangles and stop signs
Yeah, just like "I'm a prince who needs your help to move money" scams are riddled with poor grammar, it's easier to keep it dumb, to attract the unsuspecting.
But on the flip-side, if there's an expert on the flight, they'd notice it's a spoof site and chances are higher they'll report it to the crew. I can imagine the trick is to show a page that says "For free WiFi, follow our Instagram account, click here for our account", and the click will fail because there's no connection (if we're on the plane), but the click can trigger some Javascript to say "If you couldn't follow our Instagram, login using your Google/Amazon account: Username: ____ Password: ____". Or a more sophisticated trick would be to show a DIV that looks like Instagram and the "follow" button, which will then show the fake login...
The privacy-wary IT expert will look at the "Follow our Instagram" and think "Fuck off, I'm not doing that!" and might miss the spoofed login prompt...
Make the domain login-to-[airline]-wifi.com, get a real cert, and return a form with <h1>Login with Facebook</h1> and you won't ring alarm bells for the average user
I wouldn't say "never was". EV certs were an attempt to do exactly that for a time period of about 10 years. And many users were explicitly trained to trust EV certs as indicating that the site was independently validated as trustworthy, during that time period.
HSTS is a great mechanism to help protect against this. Although it assumes the user has visited the site previously within the HSTS expiration period. There’s also the HSTS preload list: https://hstspreload.org/
I don't think HSTS will help if he is running his own WWW site on his laptop with a proper CA signed cert. If I understand correctly his laptop was presenting a proper WWW login page presumably over HTTPS after victims connected to his WIFI. What he was probably faking was the redirect to the Identity Provider (IDP) by staying on his own properly credentialed HTTPS site which would pass all HSTS checks. He may have also been faking DNS responses to keep users where he wants them.
Exactly this. Apple devices in fact use a domain https://captive.apple.com/ to detect when to redirect to a captive portal which will grant the user access to the internet. HTTPS isn't used here because the captive experience is to re-write all DNS lookups to a local IP to serve the captive experience.
This experience would just redirect the user to a site they've never been to before, say: wa-man-likes-your-data.com. This could have a legitimate signed cert from anywhere and look legitimate to the device with a lock icon. Put the airline's logo and a form for PII, wait a couple of hours and you've collected a plane load of data.
I used to think about doing something similar but as an education campaign. Similar to Phishing Simulators at large corporates, I had the idea to display a captive page that explained what the user did and how they can learn to avoid it in future.
Apple & Google should really make it clearer on phones that users are joining untrusted networks, especially any network not implementing Wi-Fi Certified Passpoint (Hotspot 2.0).
How would they have got a proper CA signed cert for a domain they don't own?
HSTS will only make a HTTPS connection. Without the valid certificate, they should get a warning.
The only way this "works" is if a captive portal pops up a browser to a site that looks the same like amaz0n.com. Password manager wouldn't popup, but many people don't use them.
Faking DNS also won't help with the TLS warning, they won't have the certificate.
Criminals are smart enough to skip any of that -- they'll trick you into opening a site that has the "same" domain and looks the same, except that the domain uses a Unicode character that is just a tiny bit different from the real one. (Thank you ICANN!) I get junk email from them every day. Even if just 1 out of 50 people fall for this, they get a good payout.
And that's just one of the many possible scenarios. When you control someone else's Internet, there is a lot of things you can do. Google's certificate transparency is going to help a lot here, but only as much as what happens in a browser.
HSTS does absolutely nothing to protect against evil portals. These portals aren't spoofing DNS for google.com, they're typically displaying their own TLS-enabled site with a familiar-looking login flow, i.e. "Log in with Facebook/Google/Amazon to access Wi-Fi."
Just do a captive portal redirect to "google.johnsmith.example.com" with a properly signed certificate, add google logo and login fields, and after a user enters his credentials, just redirect them to actual google.com.
Most people don't look at domains in the url. You can actually probably register a domain like "freegooglewifi.com" or something.
Pretty sure they can glean some info just by looking at dns requests. Maybe could infer who is who by MAC address. Though, I think you need to act like a router. I think could just listen to all of this on public Wi-Fi though
