Re: [OAUTH-WG] [External Sender] Re: Collective name for attacks on cross-device flows: Cross-Device Consent Phishing (CDCP)

[Karsten Meyer zu Selhausen]

+1

On 15.06.2023 17:05, George Fletcher wrote:

I'm a +1 for the name

On Thu, Jun 15, 2023 at 11:04 AM Aaron Parecki 
 wrote:


I like it, it's definitely the best out of the list.

Aaron

On Thu, Jun 15, 2023 at 7:57 AM Pieter Kasselman
 wrote:

Hi folks, one of the discussion points at IETF 116 for the
cross-device security BCP was finding a collective name for
the exploits of the cross device flows we were seeing. We got
several suggestions since then (see list below).

We are thinking of adopting the term “Cross-Device Consent
Phishing (CDCP)” given that it describes the scope of the
attacks (cross-device), the purpose of the attacks (obtaining
user consent), and the technique (phishing, and other social
engineering techniques).

Does this feel like a good descriptive name to adopt?

The list of names that was suggested over the last few months:

 1. Cross-Device Consent Phishing
 2. Illicit Consent Grant Attack
 3. Attacker-in-the-Middle Attack
 4. Authorization Context Manipulation Attack
 5. Authorization Context Manipulation Exploit
 6. "Cross-Device Authorization Exploit"
 7. "Social Engineering Token Theft"
 8. "Authorization Flow Manipulation Exploit"
 9. Context Manipulation Authorization Exploit
10. Zishing
11. Azishing
12. FlowJack
13. AuthJack
14. TokenJack
15. Permitphishing,
16. Authishing

Cheers

Pieter

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



___
OAuth mailing list
OAuth@ietf.org

https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!MiVGjrrSZVrFfqf5H3kVV6POC4gNvh4iM5j_St4tWh0T_-9MQOlgEBWH6kUuh1RtUeBGH_FynAidy_YXHRrQoFVGgaI2Y3MQ738ijjY$





The information contained in this e-mail is confidential and/or 
proprietary to Capital One and/or its affiliates and may only be used 
solely in performance of work or services for Capital One. The 
information transmitted herewith is intended only for use by the 
individual or entity to which it is addressed. If the reader of this 
message is not the intended recipient, you are hereby notified that 
any review, retransmission, dissemination, distribution, copying or 
other use of, or taking of any action in reliance upon this 
information is strictly prohibited. If you have received this 
communication in error, please contact the sender and delete the 
material from your computer.




___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:https://hackmanit.de  | IT Security Consulting, Penetration Testing, 
Security Training

Multi-Factor Authentication (MFA) increases the security of your account. Learn 
what the best MFA options are in our blog 
post:https://www.hackmanit.de/en/blog-en/162-what-is-mfa

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
Christian Mainka, Prof. Dr. Marcus Niemietz
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [External Sender] Re: Collective name for attacks on cross-device flows: Cross-Device Consent Phishing (CDCP)

[George Fletcher]

I'm a +1 for the name

On Thu, Jun 15, 2023 at 11:04 AM Aaron Parecki  wrote:

> I like it, it's definitely the best out of the list.
>
> Aaron
>
> On Thu, Jun 15, 2023 at 7:57 AM Pieter Kasselman  40microsoft@dmarc.ietf.org> wrote:
>
>> Hi folks, one of the discussion points at IETF 116 for the cross-device
>> security BCP was finding a collective name for the exploits of the cross
>> device flows we were seeing. We got several suggestions since then (see
>> list below).
>>
>>
>>
>> We are thinking of adopting the term “Cross-Device Consent Phishing
>> (CDCP)” given that it describes the scope of the attacks (cross-device),
>> the purpose of the attacks (obtaining user consent), and the technique
>> (phishing, and other social engineering techniques).
>>
>>
>>
>> Does this feel like a good descriptive name to adopt?
>>
>>
>>
>> The list of names that was suggested over the last few months:
>>
>>
>>
>>1. Cross-Device Consent Phishing
>>2. Illicit Consent Grant Attack
>>3. Attacker-in-the-Middle Attack
>>4. Authorization Context Manipulation Attack
>>5. Authorization Context Manipulation Exploit
>>6. "Cross-Device Authorization Exploit"
>>7. "Social Engineering Token Theft"
>>8. "Authorization Flow Manipulation Exploit"
>>9. Context Manipulation Authorization Exploit
>>10. Zishing
>>11. Azishing
>>12. FlowJack
>>13. AuthJack
>>14. TokenJack
>>15. Permitphishing,
>>16. Authishing
>>
>>
>>
>> Cheers
>>
>>
>>
>> Pieter
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!MiVGjrrSZVrFfqf5H3kVV6POC4gNvh4iM5j_St4tWh0T_-9MQOlgEBWH6kUuh1RtUeBGH_FynAidy_YXHRrQoFVGgaI2Y3MQ738ijjY$
>

__



The information contained in this e-mail is confidential and/or proprietary to 
Capital One and/or its affiliates and may only be used solely in performance of 
work or services for Capital One. The information transmitted herewith is 
intended only for use by the individual or entity to which it is addressed. If 
the reader of this message is not the intended recipient, you are hereby 
notified that any review, retransmission, dissemination, distribution, copying 
or other use of, or taking of any action in reliance upon this information is 
strictly prohibited. If you have received this communication in error, please 
contact the sender and delete the material from your computer.



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth