Just read a great blog post by @dennis_kniep about a novel Device Code #phishing technique that can bypass even #FIDO š±
The attack dynamically starts the #OAuth flow when the victims click a link, uses a headless browsers to automate code entry - eliminating the usual 10-minute window.
Even worse: Victims authenticate on the real website, so there's no suspicious URL to tip them off.
Great technical write-up with PoC included š
https://denniskniep.github.io/posts/09-device-code-phishing/
Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow
TL;DR; This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level.
