{"id":10463,"date":"2025-07-21T12:34:51","date_gmt":"2025-07-21T05:34:51","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10463"},"modified":"2026-02-05T12:34:58","modified_gmt":"2026-02-05T05:34:58","slug":"khong-phai-lo-hong-chinh-tinh-nang-da-mo-cua-cho-ke-tan-cong","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/21\/khong-phai-lo-hong-chinh-tinh-nang-da-mo-cua-cho-ke-tan-cong\/","title":{"rendered":"Kh\u00f4ng ph\u1ea3i l\u1ed7 h\u1ed5ng, ch\u00ednh t\u00ednh n\u0103ng \u0111\u00e3 “m\u1edf c\u1eeda” cho k\u1ebb t\u1ea5n c\u00f4ng"},"content":{"rendered":"

M\u1ed9t k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng m\u1edbi v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n, cho ph\u00e9p nh\u00f3m hacker PoisonSeed v\u01b0\u1ee3t qua c\u01a1 ch\u1ebf b\u1ea3o v\u1ec7 c\u1ee7a kh\u00f3a b\u1ea3o m\u1eadt FIDO v\u1ed1n \u0111\u01b0\u1ee3c xem l\u00e0 “ti\u00eau chu\u1ea9n v\u00e0ng” trong x\u00e1c th\u1ef1c kh\u00f4ng m\u1eadt kh\u1ea9u v\u00e0 ch\u1ed1ng phishing hi\u1ec7n nay. \u0110i\u1ec3m \u0111\u1eb7c bi\u1ec7t c\u1ee7a k\u1ef9 thu\u1eadt n\u00e0y kh\u00f4ng n\u1eb1m \u1edf vi\u1ec7c khai th\u00e1c l\u1ed7 h\u1ed5ng trong giao th\u1ee9c FIDO m\u00e0 \u1edf c\u00e1ch m\u00e0 k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng t\u00ednh n\u0103ng h\u1ee3p ph\u00e1p: c\u01a1 ch\u1ebf \u0111\u0103ng nh\u1eadp li\u00ean thi\u1ebft b\u1ecb (cross-device sign-in).<\/b><\/p>\n

\n
\"1753079507535.png\"<\/div>\n

\u200b<\/p><\/div>\n

B\u1ea3n ch\u1ea5t c\u1ee7a cu\u1ed9c t\u1ea5n c\u00f4ng\u200b<\/h3>\n

T\u00ednh n\u0103ng cross-device sign-in cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng x\u00e1c th\u1ef1c \u0111\u0103ng nh\u1eadp tr\u00ean m\u1ed9t thi\u1ebft b\u1ecb (v\u00ed d\u1ee5: m\u00e1y t\u00ednh \u0111\u1ec3 b\u00e0n) b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng thi\u1ebft b\u1ecb kh\u00e1c (nh\u01b0 \u0111i\u1ec7n tho\u1ea1i c\u00f3 ch\u1ee9a kh\u00f3a FIDO). \u0110\u00e2y l\u00e0 m\u1ed9t ph\u01b0\u01a1ng th\u1ee9c ti\u1ec7n l\u1ee3i, nh\u01b0ng l\u1ea1i m\u1edf ra m\u1ed9t \u0111i\u1ec3m m\u00f9 v\u1ec1 b\u1ea3o m\u1eadt trong b\u1ed1i c\u1ea3nh ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng th\u1ec3 tr\u1ef1c ti\u1ebfp x\u00e1c minh t\u00ean mi\u1ec1n \u0111ang y\u00eau c\u1ea7u x\u00e1c th\u1ef1c.<\/p>\n

Chu\u1ed7i t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n nh\u01b0 sau:<\/b><\/p>\n

    \n
  1. K\u1ebb t\u1ea5n c\u00f4ng g\u1eedi email phishing, d\u1ee5 ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp v\u00e0o m\u1ed9t c\u1ed5ng \u0111\u0103ng nh\u1eadp gi\u1ea3 m\u1ea1o (v\u00ed d\u1ee5: gi\u1ea3 m\u1ea1o Okta).<\/li>\n
  2. Ng\u01b0\u1eddi d\u00f9ng nh\u1eadp t\u00ean \u0111\u0103ng nh\u1eadp v\u00e0 m\u1eadt kh\u1ea9u v\u00e0o trang gi\u1ea3 m\u1ea1o.<\/li>\n
  3. Th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c chuy\u1ec3n ti\u1ebfp ng\u1ea7m \u0111\u1ebfn trang \u0111\u0103ng nh\u1eadp th\u1eadt.<\/li>\n
  4. Trang \u0111\u0103ng nh\u1eadp th\u1eadt ph\u1ea3n h\u1ed3i b\u1eb1ng c\u00e1ch sinh m\u00e3 QR ph\u1ee5c v\u1ee5 x\u00e1c th\u1ef1c li\u00ean thi\u1ebft b\u1ecb.<\/li>\n
  5. M\u00e3 QR n\u00e0y \u0111\u01b0\u1ee3c chuy\u1ec3n l\u1ea1i cho ng\u01b0\u1eddi d\u00f9ng tr\u00ean giao di\u1ec7n gi\u1ea3 m\u1ea1o.<\/li>\n
  6. Khi ng\u01b0\u1eddi d\u00f9ng qu\u00e9t m\u00e3 QR b\u1eb1ng \u1ee9ng d\u1ee5ng x\u00e1c th\u1ef1c tr\u00ean thi\u1ebft b\u1ecb di \u0111\u1ed9ng, h\u1ecd \u0111\u00e3 v\u00f4 t\u00ecnh x\u00e1c th\u1ef1c cho m\u1ed9t phi\u00ean \u0111\u0103ng nh\u1eadp do k\u1ebb t\u1ea5n c\u00f4ng kh\u1edfi t\u1ea1o, d\u1eabn \u0111\u1ebfn vi\u1ec7c b\u1ecb chi\u1ebfm quy\u1ec1n truy c\u1eadp t\u00e0i kho\u1ea3n.<\/li>\n<\/ol>\n

    V\u1ec1 b\u1ea3n ch\u1ea5t, ng\u01b0\u1eddi d\u00f9ng \u0111ang x\u00e1c th\u1ef1c m\u1ed9t phi\u00ean \u0111\u0103ng nh\u1eadp kh\u00f4ng ph\u1ea3i c\u1ee7a m\u00ecnh, nh\u01b0ng v\u1eabn tin r\u1eb1ng qu\u00e1 tr\u00ecnh n\u00e0y l\u00e0 h\u1ee3p ph\u00e1p.<\/p>\n

    \n
    \"1753079519842.png\"<\/div>\n<\/div>\n

    V\u00ec sao k\u1ef9 thu\u1eadt n\u00e0y nguy hi\u1ec3m?\u200b<\/h3>\n

    \u0110\u00e2y l\u00e0 m\u1ed9t v\u00ed d\u1ee5 \u0111i\u1ec3n h\u00ecnh c\u1ee7a k\u1ef9 thu\u1eadt downgrade authentication, t\u1ee9c l\u00e0 h\u1ea1 c\u1ea5p qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c xu\u1ed1ng m\u1ed9t h\u00ecnh th\u1ee9c d\u1ec5 b\u1ecb thao t\u00fang, d\u00f9 c\u00f4ng ngh\u1ec7 \u0111ang d\u00f9ng l\u00e0 hi\u1ec7n \u0111\u1ea1i v\u00e0 an to\u00e0n.<\/p>\n

    \u0110i\u1ec3m \u0111\u00e1ng ch\u00fa \u00fd:<\/b><\/p>\n