They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).
Thats not a problem. The attack would happen in realtime anyway. Basically all the attacker has to do is send a different bitcoin address to MtGox compared to whats shown on the screen.
Quote
And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.
You dont have to! Im not sure anything would need to be changed on the client side, but if so, greasemonkey will do that for you without any impact on security certificates whatsoever. It basically alters the HTML after its been received. Im not a coder, but it cant take make than a few lines of code to modify one address in to another.
Quote
Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.
Again, I dont think so. Ill give it a try by running some greasemonkey script on eg gmail, but Im fairly certain I will still see a green padlock icon and no other warnings. That said, even if you would have to spoof everything, its not rocket science for a decent script kiddy. HTML5 fullscreen FTW. This seriously sounds easier to me than writing a key logger. As illlustration: http://feross.org/html5-fullscreen-api-attack/
I checked with your illustration, I definitely agree it is possible to attack this way, but as I said, they need to implement a full browser functionality and specific website functionality to get this working, otherwise, a little savvy will help you quickly realize something is wrong. At least when I press the button, I got two address bars, mine and the fake one. And the "website" is not reactive to normal operations. (Checking certificate, for example, and my address bar did show it is not BOA.)
And this is why when I setup two-factor authentication, I usually not make it default for login, but only for withdraws or change security settings, since this way, they at least need some work to make website specific behavior.
Thanks for pointing this possibility out though.
