Yup. Notice that this can't work on WebAuthn (or its predecessor U2F), which is ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tialaramex on Sept 14, 2020 \| parent \| context \| favorite \| on: I lost €4k in a Facebook scam Yup. Notice that this can't work on WebAuthn (or its predecessor U2F), which is why everything should do WebAuthn and you should ignore attempts to downgrade you to any other method. An attacker can play the legitimate WebAuthn request from the real site, which will (statistically certain) be nonsense if played by their phishing site. Or they make their own request, which doesn't help them because it's not valid on the real site they want to sign into so it's pointless.

GoblinSlayer on Sept 15, 2020 [–]

In this case the application shows real facebook in a webview and after user logged in, the application retrieved the session cookie from the webview. How webauthn will behave here?

tialaramex on Sept 15, 2020 | [–]

If you can steal the session cookie and the session cookie is what you needed then WebAuthn doesn't change anything.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact