![]() Instead, it's a real URL associated with the company that's been hijacked to redirect. ![]() ![]() However, the URL isn't a faked one, with EA properties misspelled in tricky ways, as phishing links so often are. The third step to make this attack work requires the player being tricked into clicking on a phishing link. "The second was manipulation of the API for authentication." "The DNS was unused, and we managed to hijack it," says Oded Vanunu, Check Point’s head of product vulnerability research. With the stolen sign-in token, they could takeover the player's account, where they could view stored data and make purchases. With this attack, the researchers took advantage of a weakness in the token authentication system, using it to redirect a copy of the token to its hijacked subdomain.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |