none
[UWP] Is It Still Possible to Hack (Phish) WebAuthenticationBroker? RRS feed

  • Question

  • Hello Community,

    I was recently reminded of this thread, but it appears to have been archived.  So I thought I would brush it off here to see if this is still an issue and/or if this has been addressed, since it was never answered (or, really, taken seriously).

    Namely, is it possible to phish a user of a UWP application and pull their credentials via the WebAuthenticationBroker?  Please see the linked thread for additional details on how this was possible.

    Thank you,

    Michael



    • Edited by Mike-EEE Tuesday, March 1, 2016 8:08 AM
    • Edited by Fred Bao Wednesday, March 2, 2016 5:13 AM add the tag
    Tuesday, March 1, 2016 8:08 AM

Answers

All replies

  • Hello Michael,

    Based on my research with our internal network, it seems there is still not a built-in security mechanism for this. For what you want, I recommend you could post a user voice to:

    https://wpdev.uservoice.com/forums/110705-universal-windows-platform with your detail scenario and requirement as add an url bar in the login page so that user then could see what the URL he is accessing.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

    Wednesday, March 2, 2016 7:01 AM
  • Thank you Fred for your reply and for looking into this.  I have created a UserVoice item here:

    Consider Displaying URL/Location/Context to User in UWP Application During Authentication

    Thanks again for your efforts!

    -Michael

    • Marked as answer by Mike-EEE Thursday, March 3, 2016 11:31 AM
    Thursday, March 3, 2016 11:31 AM