Bypassing 2FA: How Cookies Can Be Exploited
Written on
Chapter 1: Understanding 2FA Vulnerabilities
When you enable two-factor authentication (2FA) on your account, you might think it's impenetrable. However, that's not entirely accurate. As technology progresses, so do the techniques of cybercriminals. Phishing attacks have evolved, and attackers are finding new methods to circumvent 2FA protections. A key factor in this is the session cookies stored in your web browser. These cookies verify that a user has already gone through the authentication process, including the 2FA step. Your browser retains these cookies until they expire. Once the cookie is no longer valid, you will need to log in again.
The security measures in place can vary by application, with some imposing stricter rules than others. These measures can include:
- Single-use cookies
- Restrictions based on IP address, device, or other identifying traits
- Links to additional elements that validate the cookie (anti-spoofing mechanisms)
However, not all services implement these strong protections, and this is where attackers find opportunities. Popular platforms like Outlook and Gmail allow for cookie reuse, which means all an attacker needs is a way to extract these cookies.
To illustrate this process, I’ll demonstrate using a browser extension called EditThisCookie: http://www.editthiscookie.com/.
You don’t need a specialized extension to view your cookies; by pressing F12 in your browser to access developer tools, you can navigate to Application > Storage to see the cookies in use. However, extracting them can be cumbersome. Copying and pasting cookies manually is tedious and prone to mistakes. Cookie editors like EditThisCookie simplify this process, allowing for easy export and import of cookies between browsers.
For instance, let’s take Outlook.com. After logging into my account and completing the MFA challenge, I can see my session cookie in Chrome. On the other hand, Firefox shows I am not logged in. Remember, cookies are specific to the browser.
Using EditThisCookie, I can export my Outlook cookie from Chrome and then import it into Firefox. After importing, when I revisit the Outlook site, I find that I am logged in—this is because Firefox recognizes the imported cookie as proof of authentication.
This method works even if you switch devices. If I export the cookie from one device and import it into another, I can achieve the same result, depending on the application.
This vulnerability is what attackers are currently leveraging. You might wonder how they gain access to your cookies. In reality, attackers often don’t need to access your device directly. While they could potentially extract cookies through scripts or devices like Rubber Ducky, it’s less likely. Instead, attackers prefer to lure users into their traps.
Once a victim is deceived, EvilGinx saves the session token, which attackers can then import into their own browser. This process effectively bypasses 2FA, as the server recognizes the cookie and assumes the user has already been authenticated. Some applications do have cookie restrictions, but EvilGinx circumvents these limitations by making the request appear to originate from its own server. Consequently, the cookie would indicate that the source is EvilGinx, not the actual user.
To further clarify how this process works, check out the following video:
With the rise of cloud computing, setting up these "Evil" servers is now incredibly affordable, often costing less than a cup of coffee.
The simplest defense is through education. Since attackers are increasingly using HTTPS to appear legitimate, it’s essential to verify the URL before entering any credentials.
Stay informed to safeguard your online presence, as cyber threats continue to evolve.