Closed jorunfa closed 8 years ago
This issue is still under discussion.
CONNECT
and a 4-digit numeric PIN with spaces on each side, for example 1234
.Since it's possible to leave the login pages (the about pages can take you to potentially anywhere), where attackers could potentially abuse the sms privileges to read any SMS matching the template a security measure should be added.
The suggested measure is to only read instructions on pages using https under the telenordigital.com domain.
If the attacker still successfully spoofs or eavesdrop the https webpage then that person will be able to steal the user's pin code, along with other credentials, and thus imitate or steal the user. However, if the attacker is able to do this then that person would be able to potentially steal the user's password, if that is used, without needing the pin anyways.
Relevant: https://en.wikipedia.org/wiki/Transport_Layer_Security#Dealing_with_man-in-the-middle_attacks
Capture: $pin is your verification code for CONNECT
Your verification code is $pin - Connect by Telenor Digital
CONNECT
are ignored.CONNECT
calls the callback JS function with the found PIN as the argument.
Also: Only listening to SMS's sent from Telenor.