Quote:
I believe that if web services just give up immediately and say, "oh, its not our fault, thats the way everyone does it!", then they are not focusing on securing their app. In my paper, I mentioned a technique to add additional layers of security to prevent such an attack.
I can claim that X website is vulnerable to the "there's a virus on my computer" attack, when in fact all websites I visit become vulnerable. If someone can run away with my laptop, did they exploit the websites I saved my authentication in Firefox with? Again, If they put a keylogger on my machine, did they find a Facebook exploit? Of course not... so why would exploiting a vulnerability in the network have anything to do with the web application? (****, you could MITM their bank accounts and email if they were available, who cares about FB drama)