While most users consider two-factor authentication a security measure to protect accounts, a researcher has proved otherwise. The researcher has simply deployed the tool online for easy access. As reported, he has developed a penetration testing tool named “Modlishka”. This Modlishka tool can bypass two-factor authentication and automate phishing attacks.
2FA Bypass Using Modlishka Tool
The researcher Piotr Duszyński has developed a pentesting tool named “Modlishka”. The tool can seamlessly handle automated phishing attacks. But, what makes it more interesting is the fact that it can distort the two-factor authentication required for account logins. To spice up things, he has released the tool online on Github.
As revealed by the Polish researcher in his blog post, Modlishka tool employs reverse proxy with slight modifications in a way to facilitate phishing attacks. Stating the reason behind the creation of this tool, he said,
“Modlishka was written with an aim to make that second approach (phishing campaigns) as effective as possible. This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign.”
Not only does Modlishka bypass 2FA, but also saves user credentials in its backend panel for later access by the attacker. He has explained the procedure of using this tool. He has also shared a video demonstrating Modlishka’s action in real-time.
U2F Still Resilient To Modlishka – But What About 2FA?
As explained by Duszyński, pentesting tools like Modlishka have shaken the credible stance of two-factor authentication.
“…with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.”
Plus, the other threats such as URL bar spoofing, along with lack of awareness makes 2FA almost a failure. For now, the researcher considers U2F (Universal 2nd Factor) the only viable method enduring this attack.
“Currently, the only way to address this issue, from a technical perspective, is to entirely rely on 2FA hardware tokens, that are based on U2F protocol.”
Why Deploy Such A Dangerous Tool Online?
After reading about the tool, you might think why a pentester would release such a devastating tool online! Well, the researcher has given an interesting reason as an answer to this query.
“I believe that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly.”
Modlishka isn’t the first exploitation of reverse proxy. Rather it has already been reported for active exploits in the past as well. Hence, what’s needed here is the awareness among the masses to stay vigilant against such instances.
LHN Has Reviewed The Tool
We have reviewed the tool at the following URL:?http://www.thenetpress.com/2019/01/13/modlishka-open-source-tool-for-advanced-phishing-campaigns/