Long considered a safe alternative to simple passwords, two-factor authentication is a golden standard these days across web services for ordinary users.
But security awareness training provider KnowBe4’s Chief Hacking Officer Kevin Mitnick recently demonstrated an exploit which allowed him to easily bypass the two-factor authentication(2FA). According to a recent report from TechCrunch, the hack was demonstrated in a public video which showcases Mitnick convincing a victim to visit a lookalike domain to capture their login credentials and 2FA authentication code.
Using the exploit, Mitnick was then able to use the credentials on the actual website and capture the session cookie to login to it indefinitely. In effect, Mitnick used the one time 2FA as a means to spoof a login and grab all the authentication data. Stu Sjouwerman, CEO KnowBe4, shed more light on the exploit and was quoted saying:
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site…Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organizations.”
The tool, called evilginx, was developed by white hat hacker Kuba Gretzky and has been detailed in a post on his website. Since the tool was demonstrated publicly, Sjouwerman estimates that hackers will begin using to use it in the next few weeks, urging users and IT managers to toughen up their security protocols to prevent any breaches.