<img src = "https://cdn.arstechnica.net/wp-content/uploads/2019/02/gone-800×534.jpg" alt = "Pay attention to the phishing scam on Facebook, which can suppress even the vigilant users
A single sign-on or SSO is a feature that allows users to use their accounts on other sites (usually Facebook, Google, LinkedIn or Twitter) to access third-party websites. SSO is designed to facilitate work both for end-users users, and for websites. Instead of creating and remembering the password for hundreds or even thousands of third-party sites, people can enter using credentials for one site Web sites that do not want to worry about creating and protecting password-based authentication systems have access to only a simple programming interface.Security and cryptographic mechanisms under the hood allow you to log in if the third-party site never will see the user password. As seen from the video below, the logon screen looked almost identical to a real Facebook SSO. However, this device did not work on the Facebook API and in no way interacts with the social network. Instead, your username and password were fixed.
Facebook phishing page (social input)
Simply add HTML
verify that they are faced with a genuine SSO on Facebook, for example, to the right of this text. Status bar, navigation bar, shadows and Facebook-based HTTPS address look almost identical. However, the window presented on the phishing page was recreated using the HTML block rather than the API call that opens the real Facebook window. As a result, everything that was entered into a fake SSO page was sent directly to phishers
Although the replica is convincing, there is one easy way that any user could right away to say that this is a fake. Original SSOs from Facebook and Google can drag outside of the third-party site window without any part of the logon request. Parts of the fake SSO, by contrast, disappeared. Another sign for Myki users and probable users of other password managers was that the password manager auto-fill feature did not work because, unlike the address displayed in the HTML block, the actual URL that users visited from Facebook. More advanced users could almost certainly spot a fake by looking at the source code of the site they visited.
Convincing fake is another reminder that attacks are getting better. It also confirms the value of using multi-factor authentication on any site that offers it. A password-protected password from a Facebook account that used MFA protection would be inappropriate for malicious people because they would not have the physical key or smartphone required to log in to a computer that never had access to the account. Facebook has more tips for solving the problem of phishing.