[HN Gopher] Building a WebAuthn Click Farm ___________________________________________________________________ Building a WebAuthn Click Farm Author : jsnell Score : 85 points Date : 2021-06-14 07:50 UTC (1 days ago) (HTM) web link (betterappsec.com) (TXT) w3m dump (betterappsec.com) | baybal2 wrote: | Informing people again, WebAuthn is authentication only, and does | not substitute for signing, and client encryption. | | It's been nearly 10 years in making, went through multiple | complete spec rewrites, and endless erratas. | | And for that bicycle reinvention attempt with extra feature of | captcha, and DRM, Google killed the keygen tag in Chrome. | 1cvmask wrote: | You can actually buy FIDO keys wholesale for under $5 if the | order is over 10 thousand units directly from the manufacturers. | megablast wrote: | Great idea. This guy should have paid $50,000 instead of $100 | with next day shipping. | no_time wrote: | If this catches on I will make sure to buy and abuse a few of | these tokens every month just to get them banned. | | Doing a little trolling, 100k+ banned tokens at a time. | xaduha wrote: | I'm holding off buying WebAuthn stuff until fabled YubiKey Bio | comes out since WebAuthn support is still so insignificant even | compared to TOTP. But big players like Cloudflare supporting it | might change the picture. | fouc wrote: | >How I built a click farm to "bypass" Cloudflare's CAPTCHA killer | with some cheap USB security keys, an Arduino, and a bit of | python. | soheil wrote: | > Any opinions stated here are my own, not necessarily those of | any past, present, or future employer. | | Is it common to get in trouble with employers if this is not | stated? I don't understand how a clearly non-work related blog | post like this could land someone in hot waters with their | employer. And even if it were I still don't understand how this | statement alone can help. | kkirsche wrote: | I've seen it a fair amount in cyber security, especially if you | are attacking or leveraging things that the company sells or | promotes. Does it work? Anecdotally yes, but that's not | something I would bank on when releasing content that I feel | needs a disclaimer. | | Realistically, if someone wants to release something | questionable, it's preferable to work with the company prior to | releasing it to find the verbiage they want used (similar to | how many google GitHub repositories state they aren't official | Google products) and to understand if you will end up in hot | water. | jessedhillon wrote: | Disclaimers have become magical incantations of a litigious, | safety-obsessed culture. | noizejoy wrote: | They remind me of the safety labels on every day items | containing often apparently ridiculously obvious warnings. | Like electrical shock warnings on extension chords, or | warnings to not put a ladder on a slippery surface. | | For non US based individuals encountering these for the first | time, they often were their first encounter with how | different the US legal system really was/is from the rest of | the world. | xbar wrote: | Back, demon! | | ------------------------------------------------------------ | WARNING: This product contains a chemical known to the State | of California to cause cancer. | nkrisc wrote: | The cost of including it is nothing, so on the chance it works, | there's only upside. If it doesn't work, it's the same as not | having it but the cost to include it was nothing, so what | reason is there to not include it? | soheil wrote: | This sounds awfully a lot like Pascal's wager. | daveguy wrote: | > "Does this mean 'Attestation of Personhood' is broken? ... In | my opinion, no. Starting with the obvious, Cloudflare has clearly | considered this attack vector as they mentioned it in the post | and decided it still raises the cost of an attack over the | current CAPTCHA model... | | Attackers are already willing to purchase a bunch of cell phones | to emulate human behavior. 'Attestation of Personhood' with the | use of a hardware key is completely broken. | mandatory wrote: | Plot twist: this post is a smokescreen for this person working | remotely from home and needing to automate their U2F key pressing | dkdk8283 wrote: | Anything with a capacitive touch sensor can easily be | automated. ___________________________________________________________________ (page generated 2021-06-15 23:00 UTC)