top | item 45185007

(no title)

nalllar | 5 months ago

> 1. NEVER EVER login from an email link. EVER. There are enough legit and phishing emails asking you to do this that it's basically impossible to tell one from the other. The only way to win is to not try.

Sites choosing to replace password login with initiating the login process and then clicking a "magic link" in your email client is awful for developing good habits here, or for giving good general advice. :c

discuss

kyle-rb|5 months ago

In that case it's the same as a reset-password flow.

In both cases it's good advice not to click the link unless you initiated the request. But with the auth token in the link, you don't need to login again, so the advice is still the same: don't login from a link in your email; clicking links is ok.

tomsmeding|5 months ago

Clicking links from an email is still a bad idea in general because of at least two reasons:

1. If a target website (say important.com) sends poorly-configured CORS headers and has poorly configured cookies (I think), a 3rd-party website is able to send requests to important.com with the cookies of the user, if they're logged in there. This depends on important.com having done something wrong, but the result is as powerful as getting a password from the user. (This is called cross-site request forgery, CSRF.)

2. They might have a browser zero-day and get code execution access to your machine.

If you initiated the process that sent that email and the timing matches, and there's no other way than opening the link, that's that. But clicking links in emails is overall risky.

kiitos|5 months ago

how is this any worse than a spear phishing email that gives a login link to a malicious domain that looks the same as the official domain?