A04:2021 – Insecure Design: Easily Phished Communications?

[llaenowyd]

Here, halfway down the page under heading Example Attack Scenarios are 3 scenarios that would fall into the Insecure Design category.

I've received Phishing training at work and the basic idea is to avoid clicking links in emails, especially if they lead to a log in page where you'd put in credentials.

How about on the other end of it, if you have a big customer base who might log in to your application, it might be the most user-friendly workflow to send them an email with a link to have them log in, as they might want to do in response to getting notified about a problem or news regarding their user account.

If the application routinely sends out legitimate emails with log in links, I'd speculate it might be 10-100 times more likely to obtain access to an account during a phishing campaign.

I can recall some cases where a company will put out language like, "we will never ask for your login credentials via email." I'm not sure if that's just a good practice or indication that there is some understanding, that there could be a problem with legitimate communications that appear to possibly be phishing attempts.

So I wonder if this kind of design, routine emails, or texts, with login links and a call to action to click and sign on, would that be considered Insecure Design under the OWASP/Top10 categorization?

[puneeth072003]

@llaenowyd Happy to work on this issue, just tell me what should i do.