Regardless of the installation method it sounds like we need to be running all applications in their own individual virtual machines (e.g. Qubes OS) or within a restricted environment with limited permissions (iOS)
While password based phishing might have been stopped by U2F it still leaves Gmail accounts vulnerable to OAuth phishing attacks which can be just as devastating.
This should also help put an end to cross domain search timing attacks. An old example of one using the IMG tag: https://www.idontplaydarts.com/2015/09/cross-domain-timing-a...
Its not just Google, Microsoft Office 365 also supports the use of Oauth tokens to read email.
They look everywhere, I think its a case of survivor bias where we only see when they succeed (via published bugs). We don't hear about the thousands of times that they failed to find anything.
The google queries for "roll a dice" and "flip a coin" aren't actually random either. They seem to be based off the current time.
Regardless of the installation method it sounds like we need to be running all applications in their own individual virtual machines (e.g. Qubes OS) or within a restricted environment with limited permissions (iOS)
While password based phishing might have been stopped by U2F it still leaves Gmail accounts vulnerable to OAuth phishing attacks which can be just as devastating.
This should also help put an end to cross domain search timing attacks. An old example of one using the IMG tag: https://www.idontplaydarts.com/2015/09/cross-domain-timing-a...
Its not just Google, Microsoft Office 365 also supports the use of Oauth tokens to read email.
They look everywhere, I think its a case of survivor bias where we only see when they succeed (via published bugs). We don't hear about the thousands of times that they failed to find anything.
The google queries for "roll a dice" and "flip a coin" aren't actually random either. They seem to be based off the current time.