Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No it can't.

The rouge javascript or keylogger would just steal the totp code, prevent the form submission, and submit its own form on the malicious person's server.

Not to mention if your threat model includes attacker has hacked the server and added javascript, why doesn't the attacker just take over the server directly?

If the attacker installed a keylogger why dont they just install software to steal your session cookies?

This threat model doesn't make sense. It assumes a powerful attacker doing the hard attack and totally ignoring the trivially easy one.



> Not to mention if your threat model includes attacker has hacked the server and added javascript, why doesn't the attacker just take over the server directly?

If the attacker can only hack the server that hosts your SPA, but not your API server, they can inject javascript to it, but can't do a lot beyond that


So assuming server side compromise not xss - in theory the servers can be isolated, in practise its rare for people to do a good job with this except at really big companies.

Regardless if they got your spa, they can replace the html, steal credentials, act as users, etc. Sure the attacker might want something more, but this is often more than enough to do anything the attacker might want if they are patient enough. Certainly its more than enough to do anything TOTP would protect against.


> attacker has hacked the server and added javascript

adding javascript doesn't necessarily mean the server is hacked. XSS attacks usually don't require actually compromising the server. Or a malicious browser plugin could inject javascript onto a site.


rogue javascript. It's naughty, not red.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: