Post: Stealing cookies: Researchers describe how to bypass modern authentication

Link: https://azorius.net/c/4VD444F4D8M4Dnh33r

tedu on 07 May 2024 14:27 collapse

Some necessary caveats: This kind of attack can only be pulled off in relatively narrow circumstances by a dedicated attacker. Segal said the user would need to have installed a malicious browser extension or be in transit and use public Wi-Fi where their traffic could be intercepted and decrypted through a MITM attack.

Well, okay. Maybe there's something new here, but despite the many paragraphs of exposition, this sounds like exactly the sort of cookie stealing attack that's been possible for decades.

Is the big breakthrough here that somebody realized FIDO doesn't change that? Like, uh, no kidding? What's new?