MFA Can Be Easily Bypassed - Here's How

Показать описание

🔗 Links Mentioned:

🐕 Follow Me:

🤔 Have questions, concerns, comments?:

🎧 Gear:

Grant Collins

Рекомендации по теме

Комментарии

Nice. In addition to FIDO2 hardware keys, filtering policies to block newly registered or unknown domains can stop this, and any password manager will stop this as well.

tschaderdstrom

I got myself a Yubikey. I love it, not only is it great for security but its so much nicer then typing codes all time. I really do wish more site’s supported it.

natpow

Awesome explanation and ease of use showing. This essentially blows away the MFA security blanket if someone just hit the "yes" button when they think they are logging in to a legitimate session.

wavemakersdj

Great demonstration. The weakest link is cybersecurity continues to be the user. It is becoming very difficult for normal users to identify phishing and MITM attacks.

helshabini

There are solutions. The idea behind this whole attack is that it makes a standard MITM attack but there are Auth systems like Zalter Identity which are impossible to break in this way. The idea behind their authentication is that they exchange a signature key on both sides and eventually instead of using tokens to maintain the identity, full message (request) signatures are used to authenticate the user is who they claim they are. Take a look at their product and see whether you're finding it better. Now in regards to the Client Hello fingerprinting that would be fine if the client fingerprint would be fixed. With TLS 3 that's basically not the case for the client. Would, however fulfill the same exact purpose as a user signature key. There are issues with the way you can trust the files in the browser which is basically the main problem. In that regard HSTS and certificate pinning have done something to alleviate the problem but not completely. If the user is fished for though... then nothing can protect them really.

thegeapy

HOLY FUCK! lol I’ve analyzed these phishing emails everyday but didn’t know the mfa bypass capabilities… cant wait to go to work lol.. Thanks so much

Levonte

Great video, but about guardio did you check their privacy policy & ToS ?

lel

Just earned a sub, good content. I liked the defensive strategy option at the end. If you're gona expose a problem, better provide a solution (if able to) Most channels dont really do this or its so damn convoluted and drawn out if they do.

reegyreegz

how do you typically decide what projects to do and where do you often source your research from? I'm a bit more advanced in my IT and cybersecurity career but am always itching to learn a new skill. I could use some insights on finding new and interesting things to trial and experiment with myself.

timothycain

Great information thanks.... But what about Phones then. if people access their email via Phone how will they be able to use a fidokey.?

AngryPatriotvideos

great video @collinsinfosec. Do you think that some sort of server+client side validation of the fqdn through javascript (obv. in a secure way) would prevent users from falling on this kind of trap?

leonardobaggio

May I ask how do you know what DNS record to add for each phishlet? They would need to be different wouldnt they?
Great video!

sliceoflife

Not sure if the email address is correct but if it is, you missed some blurring around 3:54 in the link preview at the bottom of the screen

grahamornstein

does it still works until nowadays?
I heard microsoft has implemented a way to prevent this, but I'm just wondering is it still working nowadays

novianindy

Is the token still valid if the attacker’s connection comes from a different source IP address than the legitimate user?

adrianbool

Still It needs a successful Phishing right? Call me old fashion, but I use google authenticator, no pop up notification 🙂

SamSam-icqm

This depends on the user clicking on a link to the fake login site, correct? I hate it when Chrome and other browsers do not show the actual URL in the status bar. Also, the URL address bar just shows the title of the page.

BryanChance

I don't know how i find you? 😇
But really I'm quietly loving your videos ♥

moonx

Microsoft have a version of fido2 passwordless using their Authenticator app and ‘enter the on-screen number’ prompts. Could this be replayed too?

rucko

how did you managed to get that certificate ? You mentioned about lets encrypt cert which In my knowledge shows a Exclamation(!) sign in the website lockpad

mukto

MFA Can Be Easily Bypassed - Here's How

MFA Can Be Easily Bypassed - Here's How

How Hackers Bypass MFA! - (Multi-Factor Authentication)

MFA Fatigue Attacks - How MFA is Bypassed

How Attackers Bypass MFA (Multi-Factor Authentication) - Security Simplified

Attacker in the Middle - How MFA is Bypassed

Hacking Two Factor Authentication: Four Methods for Bypassing 2FA and MFA

How hackers are breaking into MFA enabled Microsoft 365 accounts

How to Bypass MFA - A Real Time Example (It's easy)

2024-10-30 CERIAS - Many Ways to Hack MFA

How Criminals Bypass Multi-Factor Authentication (MFA)

Is MFA Still Safe? | How Hackers Bypass MFA

How easy it was for bad guys to bypass MFA

Hackers Bypass Google Two-Factor Authentication (2FA) SMS

Bypass MFA (clicking any link?)

Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant

BYPASS 2FA Vulnerability - PoC

How session tokens get compromised to bypass MFA

Secure Microsoft 365 Now to Protect Against New MFA Bypass Trick

How Hackers Bypass MFA? [2 Ways To Stop Them]

How to Hack MFA (Multi-Factor Authentication)

Tactical Multi-Factor Authentication (MFA) Bypass Attacks

AiTM ATTACK: How to Bypass any MFA and the Steps You Can Take to Protect Your Business (EN version)

How Do Attackers Bypass MFA?

Mitigating MITM Phishing Toolkit Attacks that Bypass MFA