Just In Case You Thought Two Factor Authentication Was a Silver Bullet
I will start with the spoiler – it is not.
Pentesters and hackers now have a new tool in their arsenal to defeat two factor authentication.
The tool was just released at the security conference Hack-In-The-Box and is now available on Github.
Hackers had to get creative in order to attack web sites that were protected by two factor authentication because they need to some how force the target web site to generate a two factor request. If they are running on a separate web site in a different domain that they control, that is harder.
But of course, there is a way.
If the hacker’s web site acts as a proxy in between the user and the real web site, the web site will generate the needed request and the user will provide the second factor. Then the hacker needs to steal the cookie that the server sets before it expires.
That has been around for a while but was hard to do.
Muraena and NecroBrowser now automate most of this process so even a script kiddie (well, maybe not a script kiddie) can steal your money or information, even if two factor is operational.
This attack does not work if the company is using hardware tokens such as a Yubikey because the web site needs to interact directly with the key, but the attack does work against either SMS based 2FA or authenticator apps.
While the article does not say so, I think the attack will not work in the case where you are using client side certificates for the same reason as the Yubikey.
All of this means is that users cannot drop their guard. In the case of these man in the middle attacks, the user is directed to the hacker’s web site instead of the real one, and that site has a different name, even if it is only a little different.
Source: CSO Online