2FA bypass tool highlights top business security vulnerabilities

A security researcher has released a proof-of-concept tool that bypasses two-factor authentication (2FA) used by Gmail and other services to highlight the most easily exploited weaknesses in enterprise security.

Social engineering is a serious threat and cannot be treated lightly, according to Polish security researcher Piotr Duszyński.

“Over many years of my penetration testing experience, I have found social engineering the easiest and most effective way to get a proper foothold into the internal network of my customers,” Duszyński wrote in a blog post.

Attackers know, he said, that there is no need for zero day vulnerabilities to exploit security defences that are protecting the perimeter because all that is required to compromise security to access sensitive data is “just a few emails or phone calls”.

To underline this fact, Duszyński said he had created the “Modlishka” tool using the Go programming language to make phishing campaigns to steal legitimate user credentials as effective as possible.

The reverse proxy tool, which is available on GitHub along with user guidelines, can be used to bypass most of the currently used 2FA authentication schemes and uses a technique that Duszyński said he has exploited for “quite a while already”.

He further justifies the creation and release of the tool by saying it should be useful to all penetration testers who want to carry out an effective phishing campaign as well as for organisations’ red teaming exercises to test the effectiveness of their cyber defences.

The tool puts an imperceptible phishing site between the user and the legitimate site in a classic man in the middle-style attack to harvest credentials including second factor authentication codes, and therefore does not require the attacker to create a fake version of the site to trick users into entering their details.

However, this reverse proxy technique does not work against 2FA schemes that use universal 2nd factor (U2F), which is a type of physical authentication device that uses encryption and private keys to protect and unlock supported accounts.

Because it works only against schemes that rely on codes sent by mobile text, Duszyński said it does not mean 2FA is broken, but it does mean that individuals and organisations need to pay more attention to phishing and other forms of social engineering designed to steal legitimate user credentials.

“If you don't want to always verify if the domain name in the URL address bar of your browser isn’t somehow malicious or worry if there’s yet another URL spoofing bug, then consider switching to U2F protocol,” he said.

However, Duszyński warned that in addition to browser bugs that allow URL bar spoofing and a lack of user awareness, the technique means that some organisations could be serving up their most valuable assets to adversaries on a silver plate.

“At the end, even the most sophisticated security defence systems can fail if there is no sufficient user awareness, and vice versa for that matter,” he said.

Jake Moore, cyber security expert at ESET UK, warned that Duszyński’s proof-of-concept idea could be used in a targeted attack, although it would require the right victim to fall for a phishing attack and the attacker would need to be monitoring stolen credentials and 2FA codes in real time to log into the targeted account before the codes expired.

“This isn’t a technique for a huge phishing campaign, but definitely one for CEOs to be aware of,” he said. “It also highlights the need to educate people on phishing emails in general should they feel the need to input private data on a dodgy link.”

Moore noted that shorter time limits on 2FA security codes would help mitigate against this type of attack, as an attacker would have an even shorter time to use the 2FA security code. He also said authenticator apps typically have shorter timescales to type in each code, which would limit an attacker’s ability to take advantage of codes collected using Duszyński’s tool.  

 In August 2018, Reddit reported a password breach despite using 2FA, exposing the weaknesses of 2FA based on mobile text messages.

Although 2FA is widely recommended in addition to passwords as a way of improving the security of accounts, Reddit used mobile text (SMS)-based 2FA, which is known to be flawed.

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said in a statement. “We point this out to encourage everyone here to move to token-based 2FA.”