Mastodawn

A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

#phishing #MFA #starkiller

Show thread

Eloy.

@briankrebs Huh, fascinating, I'm finding StackOverflow comments from 2014 that HTTP Basic Auth credentials in the URL will throw phising warnings in Safari... There was apparently some back and forth ongoing with the removal of this feature in multiple browsers

https://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters

I'm still a regular user of this feature, I hope it does not get removed.

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

I believe this is not possible, but someone I know insisted that it works. I don't even know what parameters to try, and I haven't found this documented anywhere. I tried http://myserver.com/~user=

Server Fault

Show thread

Haelwenn /элвэн/

Feb 23

@eloy @briankrebs Well I guess they could throw their typical scary-shit warning page like they do with TLS.