WEB SECURITY: Modlishka - The tool that can intercept your Google Authenticator 2FA

[LAwLz]

17 minutes ago, Questargon said:

I just came up with an idea on how to explain this vulnerability better:

 

Assume you're connected to a remote machine via Remote Desktop Protocol, VNC, Teamviewer or the like. You enter your credentials and 2FA-Code on this machine and just after you send it all away, the connection gets disconnected and the hacker sitting directly at your remote machine takes over your session with the browser open on that account.

That's a pretty poor way of explaining it because there is no disconnection or such. Everything is transparent to the user. To them it just seems like they are browsing a normal website, and their credentials (including 2FA tokens) are silently being logged in the background.

[Fasterthannothing]

This is why if you want to stay safe you need to be using the newest 2fa technologies all the time now. First it was switching from sms to an app now its from an app to a physical key. I have a USB key for everything and it's safe from about everything outside of getting stolen. Just don't forget to have a backup in case you loose it so you can recover your accounts and then lock them down again.

[Questargon]

15 hours ago, LAwLz said:

That's a pretty poor way of explaining it because there is no disconnection or such. Everything is transparent to the user. To them it just seems like they are browsing a normal website, and their credentials (including 2FA tokens) are silently being logged in the background.

Okok, my example was not perfect. I was trying to illustrate a similar way of how your login might get compromised.

You're absolutely correct though: With Modlishka there would be no warning when your credentials are being phished.

Edited January 15, 2019 by Questargon
Removed a text I was unsure about... -_- This is complicated.

[ignaloidas]

That's why you use physical hardware keys and not some shitty schemes using a phone. Phone has a much larger attack surface, no direct connection to the website you are authenticating to, and phone messages are interceptable with sufficient funds. FIDO2 and U2F are much better since the attack surface is really small and it has direct connection to the website it's authenticating to. I don't understand websites that offer 2FA but don't have FIDO2/U2F to offer, just some shitty phone apps. It makes it way less secure and denies the security to those who are using(arguably more secure) dumbphones. It's not that hard to implement FIDO2/U2F, just do it, the security of your clients will increase WAY more.

[Questargon]

Ok. Another try to explain this:

1) Victim logs in to his remote machine

2) Phisher grabs username, password and 2FA token the victim enters as well as any session UUIDs/tokens in his browser by looking directly on that remote machine without the victim noticing anything.

3) Phisher uses these credentials and UUIDs/tokens that were used in this session to login to the victims' account in his own browser. He can even do this after the 2FA token is no longer valid! (I hope I understood the video the creator posted on github correctly).

 

You can be logged in to your Google Account multiple times without getting any notice, so you don't even see somebody messing around.

[FratStar]

2When you are saying use hardware 2FA tokens are we talking about products like the U2F/OPT keys or something else? (e.g. the physical RSA SecurID token ) Quite frankly even though I have a U2F key they hardly work with many websites at all so I don't really think that is very viable as a complete alternative.

 

EDIT: Say some other hardware OTP tokens I don't know enough about them to have a full opinion but would that really mitigate this vulnerability based on what I read with in the article I am still not clear if they would.

Edited January 15, 2019 by FratStar
research

[Amazonsucks]

On 1/14/2019 at 7:18 AM, RejZoR said:

I guess I'll have to write a basic security guide on how to safeguard yourself in general.

I wrote one too. They dont get paid attention to like more clickbaity things.

[Guest]

Great news for me I don’t use anything with two-factor authentication.

 

[vorticalbox]

On 1/14/2019 at 10:27 AM, Questargon said:

The new client will also appear in the list of authenticated clients on his google account page, but who verifies this really?

Me actually -.- i check all my sessions in Google, authy and the like.

[RejZoR]

1 hour ago, RorzNZ said:

Great news for me I don’t use anything with two-factor authentication.

 

How is that great news? You're more exposed by default lol

[Guest]

3 minutes ago, RejZoR said:

How is that great news? You're more exposed by default lol

Oh dear

[RejZoR]

3 hours ago, RorzNZ said:

Oh dear

Not to this particular exploit. Jesus, if anyone ever actually read shit like ever...