WEB SECURITY: Modlishka - The tool that can intercept your Google Authenticator 2FA

[Questargon]

This tool named Modlishka is a reverse-proxy that can intercept your login and your Two-Factor-Authentification (like the method used with the popular Google Authenticator) to give attackers access to your protected accounts. Several german websites were reporting information about this tool:

 

German:

https://www.golem.de/news/modlishka-phishing-tool-umgeht-zwei-faktor-authentifizierung-1901-138674.html

https://www.zdnet.de/88351325/tool-hebelt-zwei-faktor-authentifizierung-aus/

https://winfuture.de/news,106885.html

 

English:

https://www.theinquirer.net/inquirer/news/3069049/2fa-bypassing-tool-modlishka-is-on-github-for-all-to-use

 

This tool is on github in the open now, so it can be used by everybody to create great phishing sites:

 

https://github.com/drk1wi/Modlishka

 

The argument of the author is - according to zdNet.de - , that without making this public, nobody would change the current process or even think about another, maybe better solution.

Quote

„Wir müssen uns der Tatsache stellen, dass ohne einen beweiskräftigen Machbarkeitsnachweis das Risiko als theoretisch angesehen wird – und keine ernsthaften Maßnahmen zur Behebung stattfinden.“

(Google translate): "We have to face the fact that without a conclusive proof of concept, the risk is considered theoretical - and no serious remedial action is taken."

The only way to not being hacked this way is to always check the URL and certificate of the website you're typing your data into, which can be tricky when you only get a small browser window without a visible URL to log in and some apps don't present the URL or certificate at all.
A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices.

 

Never feel too safe,

questargon

 

P.S.: This is NOT a new flaw, as pointed out below. It just makes it easier for third parties ("script kiddies") to exploit this vulnerability.

Edited January 14, 2019 by Questargon
Formatting, urls, added link to the inquirer, added the P.S.

[mr moose]

A little bit scary, Whilst I agree it all needs to be in the open to force people to up their ante on security, the ideal that making programs intentional to undermine security in order to push developers to think of a new/different process is a bad ideal.  There's honorable motives and there's stupid motives, lets not confuse the two.

[Bananasplit_00]

well kind of a dickbag move to just put there, should have really told google, authy and any other major 2FA companies about this a few weeks before at least. 

 

are all 2FA services hurt by this even? is Authy hit or is it just a google flaw?

[Questargon]

5 hours ago, Bananasplit_00 said:

are all 2FA services hurt by this even? is Authy hit or is it just a google flaw?

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK. I assume this U2F interface also checks the certificate of the website, so only the right website receives the right token, therefore it won't work with the certificate of the phishing proxy).

Edited January 14, 2019 by Questargon
Clarification, removed typos

[Bananasplit_00]

1 minute ago, Questargon said:

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK).

ok, i have wanted to get a physical 2FA dongle for some time now. guess this is even more reason too then

[Neftex]

this is nothing new? if you enter your information to fake site theres no saving you...

[Questargon]

1 minute ago, Neftex said:

this is nothing new? if you enter your information to fake site theres no saving you...

Yeah, true dat.

But I thinks it's important to give people a wakeup call that have a false sense of security by using Google Authenticator, Authy or other similar tools.

 

Hell ... even I would fall for such a phishing site if I'm in a rush.

[RejZoR]

Only way this would work is if phishing site harvests your login credentials and also the authentication code at the same time and also gets it used up instantly. Because you can't capture an authntication code and use it later or derive a hash from it. So, they are restricted within the auth code timeframe of 10 seconds or so (some have more as safety for slow connections). They also have to make best use of your account for that login before they get discovered. Usually you can't change 2FA without again verifying the code though not for all services. Some services track your usage patterns and if they have 100 logins from Germany and all of a sudden 1 login happens in USA or lets say some Asian country, it would block the access automatically and require e-mail authentication (or phone).

[mr moose]

3 minutes ago, RejZoR said:

Only way this would work is if phishing site harvests your login credentials and also the authentication code at the same time and also gets it used up instantly. Because you can't capture an authntication code and use it later or derive a hash from it. So, they are restricted within the auth code timeframe of 10 seconds or so (some have more as safety for slow connections). They also have to make best use of your account for that login before they get discovered. Usually you can't change 2FA without again verifying the code though not for all services. Some services track your usage patterns and if they have 100 logins from Germany and all of a sudden 1 login happens in USA or lets say some Asian country, it would block the access automatically and require e-mail authentication (or phone).

It doesn't work that way, it sits between you and the legitimate site, so when you login using 2fa, they are logged in and see everything also.

[Questargon]

With Google there's an option called "always trust this device". When the attacker enables this, his browser gets a cookie that enables him access to that account indefinetly. The user will get a mail that a new client has authenticated on Google, but when he does not verify this, he might think, that this mail has just been sent BECAUSE he just logged in to Google. The new client will also appear in the list of authenticated clients on his google account page, but who verifies this really?

I don't say, that you cannot discover that attack, but "John Doe" just might not know how or even care until the damage has been done. As in so many cases it plays on the sloppiness of users handling authentification.

(The stuff said above is an assumption of mine though, because I did not play around with Modlishka to verify what an attacker really can or cannot do with this tool)

Edited January 14, 2019 by Questargon
Typos...

[RejZoR]

3 minutes ago, mr moose said:

It doesn't work that way, it sits between you and the legitimate site, so when you login using 2fa, they are logged in and see everything also.

I can't see how this could affect me given I never visit sites directly from e-mails which could be phishing (plus I have custom filters for major services where it puts a CERTIFIED label on them and I also check the certificat name of the webpage which takes just a glance to figure it out). It might affect those who fall for fake e-mails and ppl who google for login pages instead of using stored bookmarks that ensure correct webpage usage unless someone hacks the actual provider.

[mr moose]

Just now, RejZoR said:

I can't see how this could affect me given I never visit sites directly from e-mails which could be phishing (plus I have custom filters for major services where it puts a CERTIFIED label on them and I also check the certificat name of the webpage which takes just a glance to figure it out). It might affect those who fall for fake e-mails and ppl who google for login pages instead of using stored bookmarks that ensure correct webpage usage unless someone hacks the actual provider.

That's what the OP says.  It is a phishing scam.   But it doesn't harvest login details or try to capture an authorization code.

[captain_to_fire]

1 hour ago, Questargon said:

A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices.

I think this is a must for politicians, government agencies and businesses with sensitive information. Google offers advanced protection program which uses a FIDO key. What's nice is that even for people with @gmail email addresses can use it. https://landing.google.com/advancedprotection/

 

Does Microsoft offer something similar with Office 365?

[Questargon]

Found this on Yubico: https://www.yubico.com/2018/04/yubico-and-microsoft-introduce-passwordless-login/

(Not meant to be an ad for them, but this company sells the yubikeys which can be used in U2F mode. There are others as well.)

[LAwLz]

2 hours ago, Bananasplit_00 said:

well kind of a dickbag move to just put there, should have really told google, authy and any other major 2FA companies about this a few weeks before at least. 

 

are all 2FA services hurt by this even? is Authy hit or is it just a google flaw?

There isn't really any point in telling Google or the other 2FA providers because this has been known since day 1. It's just that this packages already known "vulnerabilities" (if you can call it that) into an easy to use package.

[Bananasplit_00]

2 minutes ago, LAwLz said:

There isn't really any point in telling Google or the other 2FA providers because this has been known since day 1. It's just that this packages already known "vulnerabilities" (if you can call it that) into an easy to use package.

Yah I understand that now, was under the impression there was a new flaw that had been discovered, not the normal fake login page that rips your credentials. 

[RejZoR]

2 hours ago, mr moose said:

A little bit scary, Whilst I agree it all needs to be in the open to force people to up their anti on security, the ideal that making programs intentional to undermine security in order to push developers to think of a new/different process is a bad ideal.  There's honorable motives and there's stupid motives, lets not confuse the two.

It really isn't anything complicated. The thing is that normies just take everything for granted.

 

Most antiviruses that are worth anything have anti-phishing modules that check URL similarities to legit sites. Most browsers these days show full name of certificate owner in a green rectangle and refuse to open just windows without URL and the certificate display (though I'd have to check up on that). Checking mail addresses or doing like me and creating a list of legit ones so you have a label confirming it for you that sender is really eBay or PayPal. Google, last time I was using it was doing this by itself to let users know sender is legit or not.

 

If you have just very few basic security checks in place you lower the chance of falling for phishing so dramatically it's basically not affecting you anymore.

 

I guess I'll have to write a basic security guide on how to safeguard yourself in general. Made one in the past for shopping and have to safeguard yourself when doing that...

[mr moose]

2 minutes ago, RejZoR said:

It really isn't anything complicated. The thing is that normies just take everything for granted.

 

Most antiviruses that are worth anything have anti-phishing modules that check URL similarities to legit sites. Most browsers these days show full name of certificate owner in a green rectangle and refuse to open just windows without URL and the certificate display (though I'd have to check up on that). Checking mail addresses or doing like me and creating a list of legit ones so you have a label confirming it for you that sender is really eBay or PayPal. Google, last time I was using it was doing this by itself to let users know sender is legit or not.

 

If you have just very few basic security checks in place you lower the chance of falling for phishing so dramatically it's basically not affecting you anymore.

 

I guess I'll have to write a basic security guide on how to safeguard yourself in general. Made one in the past for shopping and have to safeguard yourself when doing that...

how does any of that relate to what I said?

[LAwLz]

44 minutes ago, RejZoR said:

 I guess I'll have to write a basic security guide on how to safeguard yourself in general. Made one in the past for shopping and have to safeguard yourself when doing that...

Not to be rude or anything, but I really don't think you're the right person to write a security guide.

[paddy-stone]

3 hours ago, mr moose said:

anti

Should be "ante"

[RejZoR]

1 hour ago, LAwLz said:

Not to be rude or anything, but I really don't think you're the right person to write a security guide.

And who is? You? People who are the most knowledgeable are probably the last person that should be educating the masses because they can't dumb down their minds enough to make anything sensible to them. So, yeah, I actually am. The security guides for general public are not meant to be technical, they need to teach people who have absolutely no clue what security even is and protect them from doing something stupid with their personal or financial data.

 

And if you're drawing conclusions from my questions here, I read this news at work where I didn't have time to read it in details from actual links or documentation of the tool. So, there's that.

[TVwazhere]

1 minute ago, RejZoR said:

And who is? You? People who are the most knowledgeable are probably the last person that should be educating the masses because they can't dumb down their minds enough to make anything sensible to them. So, yeah, I actually am.

>Assuming someone who is extremely knowledgeable about a topic cant put it into easy to understand terms because theyre too smart

[Silentprototipe]

5 hours ago, Questargon said:

Modlishka

Sounds suspiciously Russian  

[RejZoR]

10 minutes ago, TVwazhere said:

>Assuming someone who is extremely knowledgeable about a topic cant put it into easy to understand terms because theyre too smart

I'm not assuming, I know. Have seen it so many times it's not almost a stereotype for no reason.

[Questargon]

I just came up with an idea on how to explain this vulnerability better:

 

Assume you're connected to a remote machine via Remote Desktop Protocol, VNC, Teamviewer or the like. You enter your credentials and 2FA-Code on this machine and just after you send it all away, the connection gets disconnected and the hacker sitting directly at your remote machine takes over your session with the browser open on that account.